[Rails-core] plans for insecure text helpers

Wed, 15 Aug 2007 03:07:58 -0700 

Hi!

What are the plans for the insecure text helpers strip_tags,
strip_links and sanitize? See also http://dev.rubyonrails.org/ticket/8877
? The white_list plugin does a good job removing tags on a whitelist
basis, it could be included in the core. Here is a first version of
more secure text helpers, using the white_list plugin. Do I have to
make it a plugin or is there a chance for the core?

module SecureHelper

  include WhiteListHelper

  # TODO sanitize

 
#################################################################################################

  def secure_strip_tags(html, options = {})
    return html if html.blank? || !html.include?('<')
    tags = WhiteListHelper.tags
    WhiteListHelper.tags = (options[:whitelist] ?
options[:whitelist] : {})

    if options[:sanitize] then
      block = lambda { |node, bad| node.is_a?(HTML::Tag) ?
node.to_s.gsub('<', '&lt;').gsub('>', '&gt;') : node.to_s }
      block = lambda { |node, bad| node.is_a?(HTML::Tag) &&
              options[:blacklist].include?(node.name) ?
node.to_s.gsub('<', '&lt;').gsub('>', '&gt;') : node.to_s } if
options[:blacklist]
    else
      block = lambda { |node, bad| node.is_a?(HTML::Tag) ? nil :
node.to_s }
      block = lambda { |node, bad| node.is_a?(HTML::Tag) &&
              options[:blacklist].include?(node.name) ? nil :
node.to_s } if options[:blacklist]
    end

    while html.include?('<')
      html_deleted = white_list(html, {}, &block)
      html_deleted == html ? break : html = html_deleted  # because of
single <>
    end

    WhiteListHelper.tags = tags
    return html if options[:blacklist] || options[:whitelist]
    return html #.gsub('<','').gsub('>','')
  end

 
#################################################################################################

  def secure_strip_links(html)
    secure_strip_tags(html, :blacklist => %w(a href))
  end

 
#################################################################################################

end


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Ruby 
on Rails: Core" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/rubyonrails-core?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to