I'm using Rails3 with tinymce. How to present user close browser javascript then input xss?

Question

I have a site written by Rails3. My post model has a text column naming "content". In the post panel, html form sets up "content" column to textarea field with tinymce. In front page, because of using tinymce, the post.html.erb code needs to implement with raw method like <%= raw @post.content %>.

Okay, now if I close browser javascript, this textarea can type without tinymce, and maybe user will input any xss like <script>alert('xss');</script>. My front will show that alert box.

I try to sanitize(@post.content) in posts_controller, but sanitize method will filter tinymce style with each other. For example, <span style='color:red;'>foo</span> will become <span>foo</span>.

My question is: How to filter xss input and reserve tinymce style at the same time?

Answer 1

The sanitizer can be set to allow the style attribute. In your config/application.rb add:

config.action_view.sanitized_allowed_attributes = ['style']

The sanitize method also has defaults for which css properties and keywords it allows. See sanitizer.rb allowed_css_properties and allowed_css_keywords to get a list of the defaults.

To add some that aren't currently allowed add this to your config/application.rb:

config.action_view.sanitized_allowed_css_keywords = ['puke']

--

If you're doing anything more complicated than this then you'll need to write some code. I don't recommend doing this from scratch, check out the Loofah Gem for a good library for writing html scrubbers.