Menu
I need to safely save/retrieve HTML tags to a database in my rails app. Currently I save HTML without any validation like below:
<h2>Sample title</h2>
<p>sample description</p>
and in the view I use <%=raw @page.desription %>. It works as expected. But I need to know if it is safe or not?
573
You can never be sure it is safe. Always treat all user input as hostile.
However, if by "safe" you mean "devoid of potentially really harmful elements like <script>s and <style>s", then I present to you the Sanitization Helper. You can print your HTML from the database and only allow a certain whitelist of tags.
<%=raw sanitize @page.description, tags: %w(h2 p strong em a), attributes: %w(id class href) %>
The above example will allow all h2, p, strong, em and a tags, and only the id, class and href attributes on them. Everything else will be removed.
63
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
