Auto-escaping HTML with Rails in the model level for protecting script injection

We can sanitize an input field data easily before saving or before displaying it in Rails. In this case we don’t need to h function in the view level. We can do it at each model by using plugin.

xss-terminate is a plugin  that makes stripping and sanitizing HTML stupid-simple, => http://github.com/look/xss_terminate , here we can find plugin. But currently it can’t be installed directly, so we have to download it and unpack its contents in a folder named “xss_terminate” under vendor/plugins folder.

Suppose we want to sanitize any script before saving an user name in user model so we have to just write the following code……

class User < ActiveRecord::Base
xss_terminate  :sanitize=>[:user_name]

...

.....
end

We can also avoid any field from sanitizing by “:except” option as follows..

xss_terminate  :except => [:address]

More on…..

http://railspikes.com/2008/1/28/auto-escaping-html-with-rails

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: