I'm creating a site that involves a blog, using Rails 2.3.8.
I've used the YUI Rich Text Editor to allow posts to be created (the
blog is for a photo site so images have to be uploaded) and the
SimpleEditor for posting comments.
In both cases, I'm using Hpricot to parse the html for index and show
I'm concerned about security, as I cannot use h or sanitize on the
output because if I do I lose the rich text functionality that the
client wants. But of course that opens the site to attack.
I really need some server side validation. I found some old posts on
this topic (2006) but the links were broken.
I'm sure other people have faced this problem before. Can anybody
point me in the direction of something that can help me validate the
html output so I can sleep better?