Using <a href> in a text field

If this is a really stupid noob question I apologize in advance, and
appreciate any answers I get from this.

I made a blog with rails, and just finished with the design. Upon
creating my first real post, I realized I couldn't put links in my
posts. I mean I can write links yes, but what I want to do is this:

[code]
blah blah blah <a href="http://www.site.com">site</a> blah blah blah
[/code]

So I really have no idea what to do. I googled html filters, url
filters, and url parsers for about an hour before I posted this, so any
information would be helpful. Thanks :smiley:

Looks to me like you're running afoul of HTML sanitization. This is
in fact for your (or rather, your users') protection, against
cross-site-scripting attacks. If you REALLY want to do that sort of
thing, you can explicitly mark the string as being already HTML-safe.
I'll leave it to you to find out how to do that, as this is a serious
vulnerability, not to be left unprotected-against lightly.

Alternately, there are probably some plugins/gems/whatever that will
let your users insert a *limited subset* of tags, including links...
though of course the targets may contain cross-site-scripting
attacks....

-Dave

Do you mean that you want the poster to be able to type <a
href="http....> (which is dangerous as Dave has pointed out) or that
you want the poster just to type www.site.com and that you will
automatically turn this into a link (in which case you could use
regular expressions to generate the links)?

Colin

Dave Aronson wrote:

I couldn't put links in my
posts. I mean I can write links yes, but what I want to do is this:

[code]
blah blah blah <a href="http://www.site.com">site</a> blah blah blah
[/code]

Looks to me like you're running afoul of HTML sanitization. This is
in fact for your (or rather, your users') protection, against
cross-site-scripting attacks. If you REALLY want to do that sort of
thing, you can explicitly mark the string as being already HTML-safe.
I'll leave it to you to find out how to do that, as this is a serious
vulnerability, not to be left unprotected-against lightly.

Alternately, there are probably some plugins/gems/whatever that will
let your users insert a *limited subset* of tags, including links...
though of course the targets may contain cross-site-scripting
attacks....

-Dave

Thanks for your reply!

I am the only user on the site. Does either option still present a
threat for me?

If you allow people to comment, then their comments must likewise be
sanitized. If you do not, then that is an indirect hazard to you --
allowing common attack vectors like XSS vulnerabilities to go
unaddressed, is hazardous to your professional reputation. :slight_smile:

IOW, don't just do it because of any direct immediate threat to you.
Do it because it's The Right Thing To Do.

-Dave