funtime
Reputation: 627
How to sanitize "inline javascript" in ruby on rails?
I am specifically developing an app in ruby on rails and i find that the ruby gem "sanitize" is very useful for cleaning the input by user but it does not remove inline javascript which makes it rather useless
I have gone through these but that does not sanitize inline javascript
Is there any better to do this(any gems or so)?
Upvotes: 0
Views: 1438
Answers (1)
EJTH
Reputation: 2218
Well you can set a whitelist for sanitize to only allow specific tags and attributes, so i guess you already got what you are looking for:
Sanitize.clean(html, :elements => ['a', 'span'],
:attributes => {'a' => ['href', 'title'], 'span' => ['class']},
:protocols => {'a' => {'href' => ['http', 'https', 'mailto']}})
Snipped from http://wonko.com/post/sanitize
Upvotes: 1
Related Questions
- resolve XSS issue on ruby on rails
- Rails: How to escape_javascript with client-side AJAX request
- Sanitize JS scripts inside script tag of html file on ruby
- j render With Coffeescript in Rails and Understanding How to Sanitize Javascript
- How can I make rails rails_xss stop escaping my in template Javascript?
- Protecting from XSS in escape_javascript() output in Rails
- Rails render raw html but escape javascript?
- How to escape javascript-generated html in Rails?
- Strip Inline CSS and JavaScript in Rails
- Rich text user input in Rails