Filtering user comments

Maxim_Kulkin · October 6, 2006, 12:46pm

This concept is called "html white list"... Try googling on it, I'm sure there are some plugins already available for that.

Rick_Olson · October 7, 2006, 1:58am

http://svn.techno-weenie.net/projects/plugins/white_list/

Rick_Olson · October 7, 2006, 5:34am

Ha. That's funny.

Mine is ridiculously similar. Big difference is that I've set it up to take allowed tags/attributes as a data structure, allowing you to easily define different tag/attribute profiles for different purposes in one go.

I'll throw it up here anyway.

I'm seeing the need for that actually. I'm not sure it's anything I'd have to add support for in my plugin though, I'll probably just make helpers like white_list_comments that pass in special customizations.

Con · October 7, 2006, 9:54am

Maxim Kulkin wrote: >> Currently my comments are filtered by the h-command which is fine but >> I'd like to add some expections to it. Well, I dont need to use the >> h-command but a system that would allow a few html tags and deny all >> others would be perfect. >> >> Is there such code out there somewhere that I could use? I tried to >> google around but couldn't find anything. I also could do the whole >> thing myself but the regexp bits are a bit too hard. > This concept is called "html white list"... Try googling on it, I'm sure > there > are some plugins already available for that.

Make sure that whatever HTML white list method you choose, that it also deal with attributes. The Rails Recipe has an HTML whitelist recipe that doesn't deal with attributes at all, making it unsafe. I could throw in cookie stealing javascript events or style attributes that put in nasty background images.

Pragmatic Bookshelf: By Developers, For Developers

That's one recipe, and my method of making it safe is posted as a comment.

-DJCP

I would recommend contacting the author to have this included in the next edition.

-Conrad

Reynard · November 13, 2006, 4:18pm

I'm having hard time trying to call this from the model. (it can't be included and can't be called as static function as well) I think the :attributes clashes with AR. Is there any reason this is not done while saving to the model (database), so the call happens only when saving not on every view request?

Reynard · November 13, 2006, 4:20pm

Sorry, forgot to mention that I'm referring to the white_list plugin.

Reynard wrote:

Reynard · November 13, 2006, 4:34pm

Makes sense enough thanks for the input and the code contribution!

Topic		Replies	Views
Filtering user comments rubyonrails-talk	0	84	October 6, 2006
anyone here familiar with white_list plugin? rubyonrails-talk	0	98	February 21, 2008
Allow HTML and Deny JavaScript rubyonrails-talk	7	285	June 5, 2007
Plug-ins Available Protect Against Malicious Code? rubyonrails-talk	2	128	September 18, 2006
RedCloth !image! bug with filter_html rubyonrails-talk	0	126	September 18, 2006

Filtering user comments

Related topics

More Resources