You can customize Rail's builtin sanitation by setting config.action_view.sanitized_allowed_tags and such in your environment.rb:
config.action_view.sanitized_allowed_tags %w[ list of additional html tags to allow ] You can do the similar with config.action_view.sanitized_allowed_attributes, sanitized_allowed_css_properties, and sanitized_allowed_css_keywords. However, this is 1) fairly inflexible, as it affects the operation of all sanitize() calls, and 2) sanitize uses Ruby Tokenizer, which is slow. You might be better off looking into the Hpricot based Sanitize gem (http://wonko.com/post/sanitize); however I myself haven't yet used it, and it looks like its only geared toward HTML so I don't know if it's able to sanitize css attributes. On May 12, 12:37 pm, Matt Jones <al2o...@gmail.com> wrote: > Good luck with that - it's not (in general) possible to do this. Even > if you kill off all the scripting, with some CSS knowledge, a > malicious user could make a fake login page and phish people. > > Little things like IE6 and 7's support of javascript in CSS attributes > could also cause trouble... > > --Matt Jones > > On May 12, 6:52 am, fausto <fausto.ga...@email.it> wrote: > > > Hi, i'm allowing users to upload html stuff, what can i use to > > sanitize it? h() it's not good as it escape everything, and i've found > > that the rails sanitize() is too strict, it sanitize also css style > > attributes, so users cannot personalize their html... i'd like > > something which permit to include code like youtubbbe embedded, css > > styles (only inline, not by external link), which strip stuff like > > html, head and keep just the body, and all the script tags or btw > > everything which could cause xss and other problems... what do you > > suggest? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group. To post to this group, send email to rubyonrails-talk@googlegroups.com To unsubscribe from this group, send email to rubyonrails-talk+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en -~----------~----~----~----~------~----~------~--~---
