Using <a href> in a text field

rubyonrails-talk
1

If this is a really stupid noob question I apologize in advance, and appreciate any answers I get from this.

I made a blog with rails, and just finished with the design. Upon creating my first real post, I realized I couldn't put links in my posts. I mean I can write links yes, but what I want to do is this:

[code] blah blah blah <a href="http://www.site.com">site</a> blah blah blah [/code]

So I really have no idea what to do. I googled html filters, url filters, and url parsers for about an hour before I posted this, so any information would be helpful. Thanks :smiley:

2

Looks to me like you're running afoul of HTML sanitization. This is in fact for your (or rather, your users') protection, against cross-site-scripting attacks. If you REALLY want to do that sort of thing, you can explicitly mark the string as being already HTML-safe. I'll leave it to you to find out how to do that, as this is a serious vulnerability, not to be left unprotected-against lightly.

Alternately, there are probably some plugins/gems/whatever that will let your users insert a *limited subset* of tags, including links... though of course the targets may contain cross-site-scripting attacks....

-Dave

3

Do you mean that you want the poster to be able to type <a href="http....> (which is dangerous as Dave has pointed out) or that you want the poster just to type www.site.com and that you will automatically turn this into a link (in which case you could use regular expressions to generate the links)?

Colin

4

Dave Aronson wrote:

I couldn't put links in my posts. I mean I can write links yes, but what I want to do is this:

[code] blah blah blah <a href="http://www.site.com">site</a> blah blah blah [/code]

Looks to me like you're running afoul of HTML sanitization. This is in fact for your (or rather, your users') protection, against cross-site-scripting attacks. If you REALLY want to do that sort of thing, you can explicitly mark the string as being already HTML-safe. I'll leave it to you to find out how to do that, as this is a serious vulnerability, not to be left unprotected-against lightly.

Alternately, there are probably some plugins/gems/whatever that will let your users insert a *limited subset* of tags, including links... though of course the targets may contain cross-site-scripting attacks....

-Dave

Thanks for your reply!

I am the only user on the site. Does either option still present a threat for me?

5

If you allow people to comment, then their comments must likewise be sanitized. If you do not, then that is an indirect hazard to you -- allowing common attack vectors like XSS vulnerabilities to go unaddressed, is hazardous to your professional reputation. :slight_smile:

IOW, don't just do it because of any direct immediate threat to you. Do it because it's The Right Thing To Do.

-Dave