William Jones
Reputation: 18289
Ruby on Rails: How best to escape a string in a model?
I want my application to sanitize html on input rather than on display, so that the fields saved into the database are sanitized.
I've been doing this with strip_tags, and it was working great. However, this has the downside that it means the user can't input anything that's bracketed with < and >.
How can I tell Rails in the model to securely escape tags before saving them to the database? I'd like to not have to call h on the sanitized fields again before using them in the views.
Upvotes: 1
Views: 1114
Answers (2)
Greg
Reputation: 2563
One option is to use the plugin xss_terminate: http://code.google.com/p/xssterminate/
By default it strips all HTML tags from user input.
Upvotes: 1
Related Questions
- Escaping values in Rails (similar to mysql_real_escape_string())
- Properly Escaping a String inside a View
- Sanitize output in Rails
- Html escaping in a Rails 3 view
- Escaping text so it would remain readable
- Escaping HTML in Rails
- How to sanitize an attribute value in rails
- Safely display html encoded values in Rails
- Escape URL in rails
- Escaping Characters Rails