On 31.8.2006, at 9.37, Mark Reginald James wrote:
I wanted to make an ActiveRecord mod that added a "sanitize_html" function that caused the attributes listed as its parameters to be automatically stripped of dangerous HTML segments through use of ActionView::Helpers::TextHelper.sanitize. It was a bit messy to get working because I had to pull part of ActionPack into ActiveRecord, and also avoid a clash with the AR sanitize method (used for database quoting). To make it much easier to call sanitize in AR I would suggest it be moved to an ActiveSupport class, and from there made available as a ActionView helper. I think storing these attributes in sanitized form is a good alternative to sanitizing on every display. Perhaps the same should be done for ActionView::Helpers::TextHelper.strip_tags.
Agreed, as well as for textilize and many others. I don't think any real production app does the textilize process when rendering pages. Now the helper needs to be hacked (or duplicated) to AR on every app.
//jarkko -- Jarkko Laine http://jlaine.net http://odesign.fi
smime.p7s
Description: S/MIME cryptographic signature
