You mean something like http://weblog.techno-weenie.net/2006/9/3/white-listing-plugin-for-rails ?
-- Thomas. Reinier Balt wrote on 2008/06/24 19:12: > I think you can do that for the description field, but I don't know about > the notes field because of the markup that is allowed in there... > > > > Would be nice if there was some sort of whitelist (only allow certain tags) > & tidy function (adds missing end tags) or something. > > > > Reinier > > > > Van: Jeff Gipson [mailto:[EMAIL PROTECTED] > Verzonden: dinsdag 24 juni 2008 16:56 > Aan: Reinier Balt > CC: [email protected] > Onderwerp: Re: [Tracks-discuss] Tracks-discuss Digest, Vol 28, Issue 20 > > > > Reinier Balt wrote: > > How about the belt and suspenders approach? > <%= h sanitize(todo.description) %> > > > > > Is h not enough? > If there is XSS stuff in the description, won't h just > escape it so that the browser never executes it? > > Reinier > > > > I suppose that 'h' is enough... That's way I referred to it as a > "belt-and-suspenders" approach. > > But I also wonder... If HTML will not be displayed in output, shouldn't we > run the 'h' method on form data before the ActiveRecord#save method is run; > and also should there be some validation being done to prevent saving of > data with illegal character sequences? > > > > > ------------------------------------------------------------------------ > > _______________________________________________ > Tracks-discuss mailing list > [email protected] > http://lists.rousette.org.uk/mailman/listinfo/tracks-discuss > _______________________________________________ Tracks-discuss mailing list [email protected] http://lists.rousette.org.uk/mailman/listinfo/tracks-discuss
