I had all of our data being html-escaped as it was rendered to the page, but the problem is that other systems interact with ours — we send data to web analytics systems and to SalesForce.com. In that case you can’t count on escaping entities on display — you need to catch it on the way into your database.
I found a few sites with some fixes, though most were still focused on cleaning the data on display. I ended up taking Rick’s plugin and applying it at save time in the model object. I’m not sure it’s the cleanest — I’d almost certainly say there is a more elegant way to do this — but this was quick and works great.
It’s still basically designed to be used at output time:
<%= white_list @article.body %>
But instead I include the helper directly to a model and overwrite the attribute setters:
class Contact < ActiveRecord::Base
include WhiteListHelper
def name=(text) write_attribute(:name, white_list(text)) end
end
I tried setting up a before_filter and stepping through the param[] object, but my data was fairly simple and the above was dead easy.
rails rails xss security UncategorizedNo tags
