Reputation: 959
Sanitize input XSS and HTML input in rails
I know I can use the ActionView helper strip_tags method in my views to sanitize output, but what is the best way to sanitize user input before I persist it to my db? Should I find a way to include the view helper in my controller and reuse the strip_tags method? I thought rails would have something available globally to do something like this.
Upvotes: 9
Views: 3661
Answers (4)
Reputation: 1862
Why do you want to sanitize user inputs? That doesn't even make any sense! You always want to sanitize (escape) outputs, not inputs, because the meaning of sanitization depends on the context that you are using the content in. There is no such thing as a string that is safe in any context. You do not want a bunch of mangled strings in your database that are "safe" in whatever scenario your application is using them today, because tomorrow, you might want to do something different with them. If your presentation layer is doing the right thing (escaping content based on the context), then you're fine, no matter how many quotes, backslashes or DROP TABLE statements are in them.
Upvotes: -1
Reputation: 65455
Why do you need to sanitize the user's input?
Typically, all that is needed is rigorous, context-aware encoding/escaping of the user's input any time you print it or embed it within a larger block of output.
Upvotes: -1
Related Questions
- Best way to go about sanitizing user input in rails
- resolve XSS issue on ruby on rails
- Sanitize output in Rails
- Rails form text_field escaping html
- Sanitizing URL to prevent XSS in Rails
- Escaping HTML in Rails
- Get Rails 3 to sanitize output by default instead of escaping it
- How to sanitize an attribute value in rails
- Ruby on Rails and XSS prevention
- Sanitize Markdown in Rails?