Prevent HTML input

Hi all,
Is there any plugin to prevent html form accepting HTML in the input,
throughout the application.
Regards,
Pankaj

What do you mean by preventing the form from accepting html input? Do you want to prevent input while the user is typing, to check it in the browser when the user clicks submit and not submit if there is html, or to parse the data in the controller after it is submitted and fail validation if necessary?

Note that the first two of these would not prevent someone posting html in the form by manually building the post request rather than using your form in a browser.

Colin

I want to parse the data on the server side after it is submitted and
fail validation if necessary?
Regards,
Pankaj

hi,

just strip all the html tags, eg

def save_form
   params[:form]['textarea'].gsub!(/<[^>]*>/,'')
   ...
end

but that's very simple example, you have probably to construct more
sophisticated solution (strip code inside javascripts etc)

tom

pankaj wrote:

How can this save form function be called for all the params passed?

params[:form].each{|k,v| v.gsub!(/<[^>]*>/,'') }

pankaj wrote:

I'd also recommend that you use a somewhat more intelligent solution -
take a look at SanitizeHelper, part of ActionView:

http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html

There's a lot of gotchas in trying to clean up user input, so it's
better if you can use a well-tested solution.

--Matt Jones

thanks everyone for your replies.
I want to use the sanitize helper in one central location, so that i
donot have write it for each form.
Regards,
Pankaj

What do you mean by preventing the form from accepting html input? Do you want to prevent input while the user is typing, to check it in the browser when the user clicks submit and not submit if there is html, or to parse the data in the controller after it is submitted and fail validation if necessary?

He means is there JavaScript client side validation to save a server round trip for validation? I reckon that oughta be in rails 3 form helpers.

Blog: http://random8.zenunit.com/
Learn: http://sensei.zenunit.com/

Twitter: http://twitter.com/random8r

Hi Pankaj,

You'd like a look at the XSS Terminate plugin. github.com/look/
xss_terminate/tree/master

Install and forget ... as the Readme says. :slight_smile: