Has anyone encountered an equivalent to HTMLPurifier for Rails apps? Essentially I need to clean up often terribly formed HTML generated by users before saving to the DB.
http://htmlpurifier.org/
You can use the sanitize method.
sanitize(html)
There is also a Sanitize gem.
Sanitize.clean(html)
I tend to prefer the Sanitize gem because it can be used as a before_save filter in your models instead of having to use the sanitize method in each of your views.
Related
I have a large number of views in my Rails application that both:
Have a consistent and repeated structure, and
Involve the use of helpers that accept large hash inputs.
As such, I would like to write these views directly in Ruby (using a DSL/helpers that I would write).
How can I get Rails to allow me to write .html.rb views?
Thanks!
Add an initializer with:
ActionView::Template.register_template_handler(:rb, :source.to_proc)
Then you can write .html.rb views in ruby, they should return a String of the desired context when executed.
I was to sanitize all the ruby variable I am using in my view. I know of sanitize method in rails. Is there any way to avoid writing sanitize before all the variable. In other words if I have 10 ruby variables in a view, I have to write sanitize in front of all to achieve sanitisation. Is there a way such that I just have to call the method once and all the variables get sanitized .
I'm using Rails 3 and Ruby 1.9.2. I'm doing anything special when I'm displaying the content of my post, I'm just doing
<%=#post.content%>
When I add
"<script language='javascript'>alert('test');</script>"
to my post form of course it executes the javascript alert !
I tried adding the html_safe both before saving and before displaying but it didn't fix anything.
If I have to add any security code, will I have to add it before saving the post or before displaying it ? I heard that rails 3 was doing it itself so I didn't bother too much about security but I guess still there are some main things to be careful with.
Rails 3 is quite strict about escaping anything you put into your view, but in Rails 2 and earlier it was your responsibility to do this. You have to escape everything using the h helper method:
<%= h(value) %>
When building an application that accepts arbitrary user input you must be certain you are escaping anything and everything that shows up in the view.
Are you using Rails 3? The javascript stuff should automatically be escaped.
But for more info on preventing XSS, I'd just look at Ryan Bates' RailsCasts.
I'm working on upgrading an old Rails app (1.1.6) to Rails 3. Obviously, a lot has changed. One thing appears to be that Rails automatically escapes content dropped into the view. However, I have a situation where I have a helper generating IMG tags for me, and Rails is automatically escaping the resulting content.
<%= random_image('public/images/headers') %>
This results in escaped content, much like one would expect had I done this (in 1.1.6)
<%= h random_image('public/images/headers') %>
Is there a way to tell it to not escape?
<%= raw random_image('public/images/headers') %>
.html_safe
It may need to be inside the helper
There are there ways in which this can be achieved in rails 3 application
html_safe
raw
h
raw and h can only be used in controller and views these methods are defined in helpers.
html_safe can be used anywhere in a rails application i.e., can be used in models, helpers, controller etc.
For more information please read http://yehudakatz.com/2010/02/01/safebuffers-and-rails-3-0/
Where can I find a complete list of Rails helper functions (such as form_for)?
Most of them are under ActionView::Helpers in documentation.
javascript helpers
form helpers
url helpers
tag helpers
asset tag helpers
date helpers
There are more available, so downloading Rails source and looking under action_view/helpers is likely your best bet.
ApiDock is a pretty good source of documentation. Check out http://apidock.com/rails/browse under ActionView::Helpers.
Also Obie Fernandez's book "The Rails Way" has a comprehensive (I believe) chapter on them.