escaping/stripping all user HTML input

Discussion in 'Ruby' started by Luis, Jun 28, 2007.

  1. Luis

    Luis Guest

    I am writing an application where I know that I do not need to allow
    any HTML input from a user.

    I am considering using before_filter at the controller level to call a
    method that essentially performs the following on the appropriate
    members of the params hash:
    - call strip_tags()
    - escape any remaining characters with h()

    The reason why I am doing this is it seems repetitive and error prone
    to have to call the above method every time in a view where user input
    is being displayed. Ultimately, I would prefer to store the data in as
    "non-malicious" format as possible and not have to worry at the
    presentation level of escaping that data at a later time.

    Is there a better way to do this? Is there existing code that does
    this already? Some googling yielded nothing specific other than
    postings to the effect of "in your view, make sure to use h()".
    Luis, Jun 28, 2007
    #1
    1. Advertising

  2. Luis

    Luis Guest

    Oh woops, my mistake! Meant to send this to the Rails list.

    On 6/28/07, Luis <> wrote:
    > I am writing an application where I know that I do not need to allow
    > any HTML input from a user.
    >
    > I am considering using before_filter at the controller level to call a
    > method that essentially performs the following on the appropriate
    > members of the params hash:
    > - call strip_tags()
    > - escape any remaining characters with h()
    >
    > The reason why I am doing this is it seems repetitive and error prone
    > to have to call the above method every time in a view where user input
    > is being displayed. Ultimately, I would prefer to store the data in as
    > "non-malicious" format as possible and not have to worry at the
    > presentation level of escaping that data at a later time.
    >
    > Is there a better way to do this? Is there existing code that does
    > this already? Some googling yielded nothing specific other than
    > postings to the effect of "in your view, make sure to use h()".
    >
    Luis, Jun 28, 2007
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Vilain

    regex for stripping HTML

    Michael Vilain, Oct 28, 2003, in forum: Perl
    Replies:
    4
    Views:
    663
    Anno Siegel
    Oct 30, 2003
  2. Spondishy

    Stripping html tags from text

    Spondishy, Mar 6, 2006, in forum: ASP .Net
    Replies:
    4
    Views:
    4,154
    m.posseth
    Mar 7, 2006
  3. JJ Harrison

    Stripping HTML attributes and tags

    JJ Harrison, Nov 27, 2005, in forum: HTML
    Replies:
    5
    Views:
    1,314
    Toby Inkster
    Nov 28, 2005
  4. John Smith

    stripping newline from input

    John Smith, Aug 31, 2004, in forum: C Programming
    Replies:
    16
    Views:
    465
    Dan Pop
    Sep 6, 2004
  5. msoliver
    Replies:
    10
    Views:
    256
    Thomas 'PointedEars' Lahn
    May 19, 2009
Loading...

Share This Page