Sanitize release in Rails

Question

Sanitize release in Rails

What is the best solution to sanitize HTML output in Rails (to avoid XSS attacks)?

I have two options: the white_list plugin or the sanitize method from Sanitize Helper http://api.rubyonrails.com/classes/ActionView/Helpers/SanitizeHelper.html . For me, until today, the white_list plugin worked better, and in the past Sanitize was very buggy, but as part of Core, it will probably be developed and maintained for a while.

+3

security ruby-on-rails xss

VP. Oct 18 '08 at 10:15

source share

3 answers

http://code.google.com/p/xssterminate/.

+3

Aristotle Pagaltzis 20 . '08 1:55

, HTML- -. / , , , - ,

</td></tr></span></div>

.

I usually offer people something like Textile to introduce their markup, as I would rather spend my time on business logic than parsing HTML.

Of course, if this text entry is more fundamental to your application (such as stackoverflow, for example), you should probably pay more attention to the manual hand.

0

Gareth Oct 27 '08 at 8:37

source share

derfred · Accepted Answer · 2008-10-26T09:24:46+0000

I think the h helper method will work here:

<%= h @user.profile %>

, , JavaScript. , , .

, , .

Sanitize release in Rails

More articles: