I hate to be dense here :-) but I'm not sure how I see the wysiwyg editors helping with XSS. A wysiwyg editor would make it easier for a person to enter certain html tags but it wouldn't prevent a malicious person from entering "bad" html/javascript on their own. Correct?
I guess I'd need to use something like the white list plugin to help prevent XSS. By the way, I did come across something called the WhiteListSanitizer which seems to be part of Rails - at least for versions >= to 2.0. Is anyone familiar with it? There doesn't seem to be any real documentation or code samples anywhere... Thanks, Ken On Nov 1, 10:08 am, "Scott Ballantyne" <[EMAIL PROTECTED]> wrote: > just tried this and it was pretty easy to setup and use > > http://www.railslodge.com/plugins/1146-yui-rich-text-editorhttp://developer.yahoo.com/yui/docs/YAHOO.widget.SimpleEditor.html > > scott > ekohe.com > > On Sat, Nov 1, 2008 at 6:08 AM, Ken <[EMAIL PROTECTED]> wrote: > > > Yea, unfortunately my target audience don't know textile and I don't > > think I could push them into it... It does seem like a good > > alternative otherwise, though... > > > On Oct 31, 2:56 pm, Ryan Felton <[EMAIL PROTECTED]> wrote: > >> Ah, I see.. I've used RedCloth and textile-editor-helper for this. We > >> did use TinyMCE in the past and it was a pain. > > >> I've cleaned up the textile-editor-helper plugin and put the code up > >> on github:http://github.com/felttippin/textile-editor-helper/tree/master > > >> I've also heard good things about this > >> one:http://github.com/pelargir/textile_toolbar/tree/master > > >> Ryan > > >> On Oct 31, 2008, at 4:35 PM, Ken wrote: > > >> Hi Ryan, > > >> Thanks for the response. In this particular situation I don't think > >> the syntaxhighlighter will help because nobody will be posting code > >> snippets on this blog (it's part of an application that's not for > >> developers). I'm not familiar with the white list plugin so I'll > >> check it out. > > >> Thanks, Ken > > >> On Oct 31, 2:21 pm, Ryan Felton <[EMAIL PROTECTED]> wrote: > > >> > Assuming you're not using wordpress as your blogging > >> > engine:http://wordpress.org/extend/plugins/wp-syntax/screenshots/ > > >> > I'd say check out the libraryhttp://code.google.com/p/syntaxhighlighter/ > >> > . > > >> > I've used the white list > >> > pluginhttp://svn.techno-weenie.net/projects/plugins/white_list/ > >> > and added table, th, tr, and td tags to it. > > >> > Ryan > > >> > On Oct 31, 2008, at 4:07 PM, Ken Hudson wrote: > > >> > Hi All, > > >> > I'm working on a new application that will need a blog. The basics > >> > for creating a blog are well documented all over the web and are > >> > pretty easy and straightforward. However, most of what you find is > >> > very simplistic - blog entries and comments just consisting of simple > >> > text, for example. In my application, I will need to allow blog posts > >> > to have at least some HTML markup (e.g., links, unordered lists, and > >> > in particular images). The same goes for blog comments. Does anyone > >> > have any suggestions on how to go about doing this? RedCloth would > >> > appear to be one alternative but my users aren't going to know Textile > >> > and there's no way I can expect them to learn it. I need to balance > >> > my requirements with a healthy concern for cross site scripting (XSS) > >> > and I'm unsure how to proceed. I'm very curious how sites > >> > likehttp://www.rubyinside.com > >> > accomplish this. I would greatly appreciate any advice! > > >> > Thanks, Ken --~--~---------~--~----~------------~-------~--~----~ SD Ruby mailing list [email protected] http://groups.google.com/group/sdruby -~----------~----~----~----~------~----~------~--~---
