Filtering user comments

This concept is called "html white list"... Try googling on it, I'm sure there
are some plugins already available for that.

http://svn.techno-weenie.net/projects/plugins/white_list/

Ha. That's funny.

Mine is ridiculously similar. Big difference is that I've set it up to
take allowed tags/attributes as a data structure, allowing you to easily
define different tag/attribute profiles for different purposes in one
go.

I'll throw it up here anyway.

I'm seeing the need for that actually. I'm not sure it's anything I'd
have to add support for in my plugin though, I'll probably just make
helpers like white_list_comments that pass in special customizations.

Maxim Kulkin wrote:
>> Currently my comments are filtered by the h-command which is fine but
>> I'd like to add some expections to it. Well, I dont need to use the
>> h-command but a system that would allow a few html tags and deny all
>> others would be perfect.
>>
>> Is there such code out there somewhere that I could use? I tried to
>> google around but couldn't find anything. I also could do the whole
>> thing myself but the regexp bits are a bit too hard.
> This concept is called "html white list"... Try googling on it, I'm sure
> there
> are some plugins already available for that.

Make sure that whatever HTML white list method you choose, that it also
deal with attributes. The Rails Recipe has an HTML whitelist recipe that
doesn't deal with attributes at all, making it unsafe. I could throw in
cookie stealing javascript events or style attributes that put in nasty
background images.

http://fora.pragprog.com/rails-recipes/posts/show/127

That's one recipe, and my method of making it safe is posted as a
comment.

-DJCP

I would recommend contacting the author to have this included in the
next edition.

-Conrad

I'm having hard time trying to call this from the model. (it can't be
included and can't be called as static function as well) I think the
:attributes clashes with AR.
Is there any reason this is not done while saving to the model
(database), so the call happens only when saving not on every view
request?

Sorry, forgot to mention that I'm referring to the white_list plugin.

Reynard wrote:

Makes sense enough :slight_smile: thanks for the input and the code contribution!