Take a look at: http://guides.rubyonrails.org/security.html
and then look at what you're trying to provide. Is it really worth the risk? A compromise might be http://redcloth.org/ a Textile to Ruby module On Jun 29, 5:59 pm, Xdmx Xdmx <[email protected]> wrote: > Hi, i wan't to permit users to send their own content, text, html, and > stuff like that. It should also be permit them to send their own design, > using div, span, internal style attributes and so on. Obviously i'd like > to protect everything forbidding javascript, but permitting object and > embedded (for youtube, gvideo, etc). > From a previous post the suggestion was > wonko/sanitize:http://www.ruby-forum.com/topic/186697 > But i've not found time to try it yet. > Btw, my question now is another, how can i remove external links, but > keeping the text link and internal links? > I mean, if a user insert "<a href="http://externaldomain.com";>my > site</a>" it should be sanitized to just "my site", instead if he insert > "<a href="http://domain.com";>read this page</a>" it should keep it as it > is (domain.com is "whitelisted"). And it also should remove others like > mailto:, ftp:, etc (just keep http and https) > Any hint about this ? (considering the first lines about styles, and > which sanitezer to use) > thank you > -- > Posted viahttp://www.ruby-forum.com/. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
