Ruby Sanitize Code ... why and sanitized

Question

I am currently using the following code to sanitize a string before saving it:

ERB::Util::h(string)

My problem occurs when the line has already been cleared as follows:

string = "Watching baseball `&amp;` football"

The sanitized line will look like this:

sanitized_string = "Watching baseball `&amp;amp;` football"

Can I sanitize by simply turning <in <and> in >by substitution?

+3

tdewell Oct 21 '09 at 20:46

4 answers

A quick approach based on this snippet from Erubis .

ESCAPE_TABLE = { '<'=>'&lt;', '>'=>'&gt;' }
def custom_h(value)
   value.to_s.gsub(/[<>]/) { |s| ESCAPE_TABLE[s] }
end

0

Marcel jackwerth Oct 21 '09 at 20:55

, , , :

mystring.gsub( /<(.|\n)*?>/, '' )

0

JRL 21 . '09 20:55

, .

A better approach might be to unencode your string before disinfecting it - h () has an inverse that you could wrap your lines in the first place?

0

Dan davies brackett Oct 21 '09 at 20:55

maxm · Accepted Answer · 2009-10-21T20:54:55+0000

Uncheck the box first, then run again:

require 'cgi'
string = "Watching baseball &amp; football"

CGI.escapeHTML(CGI.unescapeHTML(string))

=> "Watching baseball &amp; football"