Clean User Generated HTML In Ruby
Web applications have always to deal with user input, nowadays more HTML, so there is a risk of malicious HTML code, XSS, etc. So, the best way to deal with user input would be sanitize it i.e. the removal of unwanted HTML tags or attributes, like we might not want to have links or scripts in the user's HTML, so we'll have to remove script & a tags. In another case we might want to allow anchor tags with absolute URLs, the cases might be numerous, in this article we'll try to get the basics right.
In this article we'll be looking at a Ruby gem Sanitize, which is a whitelist based sanitizing module, which means that you have to mentioned the allowed tags, attributes, etc. inversely you cannot specify disallowed tags or attributes.
It's pretty easy to install the Sanitize gem in Ruby, just issue the following command and wait:
Sanitize comes in with a few built-in modes, which help you complete a few mundane configurations without much effort, here are the built-in modes:
Sanitize::Config::RESTRICTED - Only allows very simple inline formatting.
Sanitize::Config::BASIC - Allows all formatting tags, links & lists. Does not allow tables & images, and a rel="nofollow" attribute is added to all links.
Sanitize::Config::RELAXED - Like BASIC, but allows images & tables and does not add rel="nofollow" attribute to links.
You can also customize it to your needs, here's how to go about it.
Try the code for yourself, tweak it to improve your understanding. I hope this was helpful.
Re: Clean User Generated HTML In Ruby
it,s really nice
|All times are GMT +5.5. The time now is 18:06.|