How can I sanitize all params coming into a Sinatra app?

Question

In a similar Rails app, I was able to make a recursive Hash-checking function which then runs the Sanitize gem's clean/fragment method to remove any HTML elements from incoming params hash. I used a before filter in the application_controller so everything gets scrubbed app-wide (it's a big app).

Backstory: XSS attacks were possible, particularly in IE browsers, but really we just don't want any of this stuff being saved into the database anyway. Though the ultimate goal was that JSON output didn't contain it.

I tried to do the same thing in a Sinatra app (which has some ActiveSupport and JRuby ActiveRecord bundled in), but the Sanitize gem won't bundle, because this particular app runs in JRuby for some database reasons. Sanitize needs Nokogiri, which in turn needs Nokogumbo, and the latter just won't build in this JRuby environment.

So I tried doing a before filter in app.rb using Rack::Util's built in html escape method, but that blows up the app.

Are there any alternative ways I can think about

1) Sanitizing all incoming params into a (JRuby) Sinatra app

And if not, a lesser option:

2) make it so all JSON that is parsed sanitizes values in said JSON attribute-value lists?

PS - Part of the issue here is that an included local gem, which handles a lot of the params and does JSON rendering, is proving impossible to debug. I'll include Pry in both the host app, and the locally linked gem, and when I try to Pry into the Gem, I can't view the params hash (it just shows as empty)–there seems to be an issue of scope.

Answer 1

Sanitize gem won't bundle, because this particular app runs in JRuby for some database reasons. Sanitize needs Nokogiri, which in turn needs Nokogumbo, and the latter just won't build in this JRuby environment.

seems wrong as Nokogiri works in JRuby (has a -java specific gem), try a bundle update nokogiri so that you get Sanitize to play nicely ...

So I tried doing a before filter in app.rb using Rack::Util's built in html escape method, but that blows up the app.

again, too bad. maybe post details on you gem versions and the failures you run into. although the preferred option, I believe, would be to get something that worked under MRI working under JRuby - thus I would try again to use Nokogiri.