Zakir Hemraj
Zakir Hemraj

Reputation: 959

Sanitize input XSS and HTML input in rails

I know I can use the ActionView helper strip_tags method in my views to sanitize output, but what is the best way to sanitize user input before I persist it to my db? Should I find a way to include the view helper in my controller and reuse the strip_tags method? I thought rails would have something available globally to do something like this.

Upvotes: 9

Views: 3661

Answers (4)

Enno
Enno

Reputation: 1862

Why do you want to sanitize user inputs? That doesn't even make any sense! You always want to sanitize (escape) outputs, not inputs, because the meaning of sanitization depends on the context that you are using the content in. There is no such thing as a string that is safe in any context. You do not want a bunch of mangled strings in your database that are "safe" in whatever scenario your application is using them today, because tomorrow, you might want to do something different with them. If your presentation layer is doing the right thing (escaping content based on the context), then you're fine, no matter how many quotes, backslashes or DROP TABLE statements are in them.

Upvotes: -1

tig
tig

Reputation: 27850

maybe sanitize gem: http://wonko.com/post/sanitize

Upvotes: 0

Reuben Mallaby
Reuben Mallaby

Reputation: 5767

What about the xss_terminate plugin ?

Upvotes: 4

yfeldblum
yfeldblum

Reputation: 65455

Why do you need to sanitize the user's input?

Typically, all that is needed is rigorous, context-aware encoding/escaping of the user's input any time you print it or embed it within a larger block of output.

Upvotes: -1

Related Questions