Safe HTML Whitelists

HTML Whitelisting in Ruby on Rails, the easy and safe way.

I’ve written a ROR helper (which ended up being relatively similar to this one) based on the “Easy HTML Whitelists” recipe in the Pragmatic Programmers Rails Recipes book.

The big problem with that recipe is that it allows any attributes on whitelisted tags. Not good. I could throw in nasty background images or cookie-stealing onclick/onmouseover events. XSS == teh badness.

Originally, I just stripped all the attributes, but in this post RoR Newbie asks “how can I allow SOME attributes?”

Thus was this helper born. It allows you to define “tag profiles” of allowed tags and attributes, and gives you the ability to allow different levels of sanitizing for different purposes/users. See the Rdoc for a fuller explanation.

Lemme know what you think. Dan at NOSPAMEendpoint dot com

HTMLFilterHelper

Rdoc:

http://www.kookdujour.com/doc/

The helper:

http://www.kookdujour.com/html_filter_helper.rb.txt

Try it out:

http://www.kookdujour.com/filter_test

» read more . .
» Comment on "Safe HTML Whitelists". . .
By: dan@endpoint.com | On: 2006/10/07 at 04:58 PM | Comments: 1
Tags: techie rails helpers

Comments

Hello! great idea of color of this siyte!
Posted by: anonymous on Sat Aug 04 09:14:58 -0400 2007

Newest Posts

FCKEditor for the Radiant CMS "Flexmenu" style menus in the Radiant CMS Easy Cheese Crackers TrendMicro - Die die die! My MythTV setup

Top Tags

techie oddness cooking rails religion linux brewing ruby radiant openbsd
2008/06 2008/03 2008/01 2007/10 2007/07 2007/06 2007/05 2007/04 2007/03 2007/02 2007/01 2006/12 2006/11 2006/10 2006/09
Recommend me on Working With Rails

Add to Technorati Favorites

Add to Google