Good luck with that - it's not (in general) possible to do this. Even if you kill off all the scripting, with some CSS knowledge, a malicious user could make a fake login page and phish people.
Little things like IE6 and 7's support of javascript in CSS attributes could also cause trouble... --Matt Jones On May 12, 6:52 am, fausto <fausto.ga...@email.it> wrote: > Hi, i'm allowing users to upload html stuff, what can i use to > sanitize it? h() it's not good as it escape everything, and i've found > that the rails sanitize() is too strict, it sanitize also css style > attributes, so users cannot personalize their html... i'd like > something which permit to include code like youtubbbe embedded, css > styles (only inline, not by external link), which strip stuff like > html, head and keep just the body, and all the script tags or btw > everything which could cause xss and other problems... what do you > suggest? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
