Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How do I textile and sanitize html?

Tags:

html

escaping

ruby-on-rails

textile

Now i ran into some stupid situation. I want the users to be able to use textile, but they shouldn't mess around with my valid HTML around their entry. So I have to escape the HTML somehow.

  • html_escape(textilize("</body>Foo")) would break textile while

  • textilize(html_escape("</body>Foo")) would work, but breaks various Textile features like links (written like "Linkname":http://www.wheretogo.com/), since the quotes would be transformed into &quot; and thus not detected by textile anymore.

  • sanitize doesn't do a better job.

Any suggestions on that one? I would prefer not to use Tidy for this problem. Thanks in advance.

like image 778
Marcel Jackwerth Avatar asked Feb 01 '09 22:02

Marcel Jackwerth

2 Answers

For those who run into the same problem: If you are using the RedCloth gem you can just define your own method (in one of your helpers).

def safe_textilize( s )
  if s && s.respond_to?(:to_s)
    doc = RedCloth.new( s.to_s )
    doc.filter_html = true
    doc.to_html
  end
end

Excerpt from the Documentation:

Accessors for setting security restrictions.

This is a nice thing if you‘re using RedCloth for formatting in public places (e.g. Wikis) where you don‘t want users to abuse HTML for bad things.

If filter_html is set, HTML which wasn‘t created by the Textile processor will be escaped. Alternatively, if sanitize_html is set, HTML can pass through the Textile processor but unauthorized tags and attributes will be removed.

like image 128
Marcel Jackwerth Avatar answered Oct 27 '22 05:10

Marcel Jackwerth

This works for me and guards against every XSS attack I've tried including onmouse... handlers in pre and code blocks:

<%= RedCloth.new( sanitize( @comment.body ), [:filter_html, :filter_styles, :filter_classes, :filter_ids] ).to_html -%>

The initial sanitize removes a lot of potential XSS exploits including mouseovers.

As far as I can tell :filter_html escapes most html tags apart from code and pre. The other filters are there because I don't want users applying any classes, ids and styles.

I just tested my comments page with your example 

"</body>Foo"

and it completely removed the rogue body tag

I am using Redcloth version 4.2.3 and Rails version 2.3.5

like image 2
Noel Walters Avatar answered Oct 27 '22 05:10

Noel Walters
Sign in to Comment

Related questions

How to parse HTML table with Powershell Core 7?
Material Icon Two-Tone: How to change the color of icon?
How to disable Hover effect on CSS?
Semicolon in *ngIf directive with else block - Angular
Video Conferencing like video grid using css grid
Object with the same color, but with different opacities
Non breaking spaces are rendered as regular space in vue template
Problem when creating a map using Google Maps' API
HTML not rendering well when using markdown2 converted
HTML5 Geolocation API quietly fails when Mac settings (not browser settings) deny location sharing
How can I define the type for a <video> reference in React using Typescript?
How to stop the hiding of dropdown content in specific situation in materialize?
Are there any tools out there to compare the structure of 2 web pages?
How do I use genshi.builder to programmatically build an HTML document?
What to do when IE's moveToElementText spits out an Invalid Argument exception
HTML DTDs - what's the point? [duplicate]
How to stop title attribute from displaying tooltip temporarily?
Wrapping GridView text without a visible space
Conflict between Drag and drop and sortable jquery plugins
CSS precedence rules

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!