similar to: Is sanitize() strong enough to protect me from XSS?

> I need a simple blog with categories and comments and an archive. I want a > nice posting system, but don''t want it in HTML. Is there something I can add > or make, kind of like BBCODE? http://whytheluckystiff.net/ruby/redcloth/ http://wiki.rubyonrails.org/rails/pages/RedCloth > I pretty much know what else I have to do, but there is one more thing. A > client section.

Hi! I wanna take a stab at implementing better XSS prevention for Rails. This time for real =) I''m wondering what would be the better way, clean everything up with tidy first and then do the rest with regexp or regexp all the way? Anybody done this before? Thanks! Ciao! Florian

Is this the prefered method to implement RedCloth in your views. I''m trying to display user input that will sometimes have code references in it. This strips out all tags. I would like for the tags to be displayed but not read as html. Thanks in advance! <%= RedCloth.new(strip_tags(comment.comment),[:filter_html]).to_html %> charlie bowman recentrambles.com -- Posted via

Does anybody use and prefer Redcloth (or bluecloth, which appears to be alpha)? Does it affect performance much? Is there a way to get it to automatically process templates without having to call textilize? Thanks, Joe -- Posted via http://www.ruby-forum.com/.

Hullo, fellow Railsers! (warning: this isn''t a 100% Rails specific question, but I guess it very much applies to what a lot of us are currently doing.) For a project that involves messageboard functionality I''m looking for a good way of sanitizing user input, so the silly fools, err, my wonderful users don''t mess things up too much. I''ve played around with

I use a call to the sanitize method every time I render some user input, but it would be much nicer if I could clean it up once before putting it into the database and avoid having to call the (relatively expensive) sanitize every time I render a page. My first thought was to just add something like: def message=(x) self[:message]=sanitize(x) end However, the sanitize helper cannot be called

I''ve noticed that it is possible to pass javascript unaltered through the sanitize function using CSS. For example: sanitize( "<style type=''text/css''>body{background-image:url(''javascript:window.alert(1)'') }</style>" ) IE will execute the javascript. Firefox will not. I haven''t tried it with any other browsers.

hi, having a maddening problem with a redirects between controllers. app is working fine on my two local machines, a mac and a pc, with either webrick and lighttpd/cgi on either machines. i move it to my hosting provider and try to get it working with apache + cgi, most of it works, but it fails at a specific spot, and causes dispatch.cgi to hang indefinitely. nothing shows up at all in the

Hi, I''m using textilize with redcloth 3.0.4. Everything works best except that paragraphs are not translated as an HTML paragraph When I write something like: *first paragraph* second paragraph the output is without paragraph: *first paragraph* second paragraph Any help??? Thanks Jörg

Hi, I''m having some problems with redcloth(3.0.4 gem) and textilize. I have a string: "h2. hello _what''s up?_" which is being textilized as: <h2>hello<br /> <em>what&#8217;s up?</em></h2> so no paragraph and h2 wrapped all the way. the input is coming from firefox 1.5.2 on a mac Anybody got any idea what the problem might be? --

I''m having a problem formatting some text. I have a textarea that I input my text into, which will then be put into an e-mail and sent out. The problem I am having is when there is a single line break. Multiple line breaks work fine (hitting enter twice), but single line breaks don''t seem to work properly. Take the following input: Line1. Line2. Line3. Line4. Using

Hello, I have a few models -- book, cd, dvd -- for which I''d like to have an abstract base superclass to hold some common stuff. That abstract class, I was thinking, would inherit from ActiveRecord. Didn''t work, though, and looking around, I found this: <http://wiki.rubyonrails.com/rails/pages/HowtoMakeAbstractModel>

For a community project I aim to combine RedCloth and Coderay and on doing this, I might have found an issue with RedCloth. I pushed a demo to Github: https://github.com/markusproske/redcloth_coderay_demo The index (http://localhost:3000/) demonstrates the issue. In brief: A page consist of textile. The textile contains @@@ruby somecode @@@ The textile is first feed into Coderay via a helper

I''m trying to dynamically create an instance of an object at runtime, from a String. I have a method that returns one of a number of Strings ("Car", "Motorcycle", "Bicycle"), and when I receive the String, I then want to instantiate one of those objects. Seems like there should be a way to do it in Ruby, but maybe I''ve been up too long --

I''m writing a basic to-do application. I''m using a form_remote_tag to submit the entry to my controller, which then returns the entry to be displayed in the table of to-do items. However, I''d like to be able to "textilize" the entry without having to reload the page. Is there any way to have my ajax function textilize the text before displaying it in the list?

Hi, using --- (3 dashes) at the end of a string that is textilized, results in a single hr tag without any text. This seems weird to me. Am I overlooking something? >> av = ActionView::Base.new >> av.textilize("sometext ---") => "<hr />" Cheers, Jan --~--~---------~--~----~------------~-------~--~----~ You received this message because you are

For me, textilize(stuff) produces nasty stuff - <br>''s instead of enclosing <p>''s and some closing <h*>''s are missing. RedCloth.new(stuff) works fine though. Isn''t textilize supposed to produce the same output? Or do I need to tweak something? Joe -- Posted via http://www.ruby-forum.com/.

1) Is there a way to strip a redcloth string of all redcloth tags? I need to display a snippet of the text in an index page and want all markings removed. I used RedCloth.new(''a'').methods but didn''t find anything appropriate. For now, I''m converting to html then stripping tags. 2) what''s the best practice in term of storing user''s redcloth-

> $ rake test > /usr/local/bin/ruby -Ilib:test "/usr/local/lib/ruby/gems/1.8/gems/ > rake-0.7.3/lib/rake/rake_test_loader.rb" "test/test_formatters.rb" > "test/test_parser.rb" > Loaded suite /usr/local/lib/ruby/gems/1.8/gems/rake-0.7.3/lib/rake/ > rake_test_loader > Started >

Hi, I use textilize() which is a great way of letting end users edit contents. But the code in RedCloth is quite compact, and doesn''t allow for easily adding correct typographic behaviour depending on the lang of the text. For instance, correct quoting uses round double quotes in english and double carons ? ? in french; the spaces before punctuation can be corrected too. I''d