Reputation: 6493
Implementing sanitize simple_format in rails 2.3.8
I have created an application that allows for users to input lots of different data (posts, comments, etc.). The simple_format is good for me for now I just want to protect against crazy stuff. I haven't used sanitize before and after reading some guides I am still a little confused on how to implement. Hoping I can get some direction here.
Let's say I am collecting @post.body. How do I remove any <div> tags or <script> tags that might be entered by the user? I am assuming that in the view it would look something like this:
<%= sanatize(simple_format @post.body) %>
...but where do I define what tags aren't allowed? In the Post model or in a sanitize_helper? What is the correct syntax here?
Upvotes: 0
Views: 1114
Answers (1)
Reputation: 7533
Here's the documentation link for the sanitize method in Rails 2.3.8. With that in mind you'll be able to define allowed tags in this way:
<%= sanitize(simple_format(@post.body), :tags => %w(p span strong)) %>
Note that you can define them also inside the Rails Initializer:
Rails::Initializer.run do |config|
config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
end
I hope you find this helpful!
Upvotes: 3
Related Questions
- Rails sanitize remove default allowed tags
- Using sanitize within a Rails controller
- Is simple_format helper in Rails enough to protect against xss?
- Sanitize helper in Rails
- Undefined method `sanitize' in rails
- How best to sanitize fields in ruby on rails
- How to use Rails' simple_format with special characters?
- Sanitize for all fields
- Using simple_format and html_safe at the same time in Rails
- Rails 3.0 use sanitize and simple_format from application_helper