I am trying to include a section wherein my users can input HAML and
view the resulting HTML page.
I would like to make this as un-exploitable as possible.
This is what I have in place now:
This is obviously no good.
Previously, I was using standard HTML, and used sanitize to allow only
a certain array of tags, e.g.
= sanitize current_user.userinput, :tags => %w(div br span a h1 h2
h3 ul li hr b em img), :attributes => %w(style href id class title
Is there anyway to combine the two? I'd like to only allow specific
tags in both html or haml to be processed, and everything else,
including ruby code, to be ignored/escaped.