Reputation: 959
I know I can use the ActionView helper strip_tags
method in my views to sanitize output, but what is the best way to sanitize user input before I persist it to my db? Should I find a way to include the view helper in my controller and reuse the strip_tags method? I thought rails would have something available globally to do something like this.
Upvotes: 9
Views: 3661
Reputation: 1862
Why do you want to sanitize user inputs? That doesn't even make any sense! You always want to sanitize (escape) outputs, not inputs, because the meaning of sanitization depends on the context that you are using the content in. There is no such thing as a string that is safe in any context. You do not want a bunch of mangled strings in your database that are "safe" in whatever scenario your application is using them today, because tomorrow, you might want to do something different with them. If your presentation layer is doing the right thing (escaping content based on the context), then you're fine, no matter how many quotes, backslashes or DROP TABLE statements are in them.
Upvotes: -1
Reputation: 65455
Why do you need to sanitize the user's input?
Typically, all that is needed is rigorous, context-aware encoding/escaping of the user's input any time you print it or embed it within a larger block of output.
Upvotes: -1