Posted by ant
October 9th, 2008
Filed in Rails
(or sanitising as us Brits prefer to write!)
I really hate having to call the hhelper method every time I display a model attribute in view. Imagine how happy I was to find a plugin that did all this for me. Then I found XSS_Terminate.
Attributes can be sanitiesd (have unwanted user inputted HTML tags removed) with one of three methods (remove all HTML tags, Rails’ own ActionView::Helpers::SanitizeHelper or HTML5Lib). By default all attributes in a model are sanitized using the remove all tags method, but you can easily configure the way attributes are sanitzed. For example to strip all tags from every attribute except :description use:
xss_terminate :sanitize => [:description]
Thankfully now Rails uses white rather than black lists for it’s sanitization (which it did prior to v2.0), which makes it much, much more effective. However, I found that using the Rails’ built in sanitization was removing attributes for html elements that (for the moment) I need left in. By default the methods will remove script, id, class and style attributes (amongst others). This can be configured in config/environment.rb (details in the API docs).
In the API document it says you can change allowed default attributes, what it means is
config.action_view.sanitized_allowed_attributes = 'class', 'style'
will add the ‘class’ and ‘style’ attributes to the list of allowed attributes and not change it to just ‘class’ and ‘style’.
Blog uses Mephisto
Design from OSWD
by dreamLogic
Leave a Reply ☆