How best to sanitize fields in ruby on rails

ruby-on-rails ruby-on-rails-3 activerecord tinymce sanitization
Chris picture Chris · Jan 19, 2012 · Viewed 7.5k times · Source

I currently have a controller capturing some html from TinyMCE on the front end. If I tinker with firebug it is possible to submit script tags and inject alert messages etc on to the screen.

edit: Currently I am fixing this in the model by using the sanitize helper:

require 'action_view'

class NotesController < AuthApplicationController

  include ActionView::Helpers::SanitizeHelper
...
  def update
    params[:note][:content] = sanitize(params[:note][:content],
        :tags => %w(a object p param h1 h2 h3 h4 h5 h6 br hr ul li img),
        :attributes => %w(href name src type value width height data) );

    @note.update_attributes(params[:note])

This feels messy in the controller. Is there a better way? I.e. somehow integrate this ActiveRecord so I can easily specify to do this to this and other fields before saving in a similar way to validation?

Thanks for any suggestions.

edit:

Making some progress here.

Under my /Libs I have

module SanitizeUtilities
  def sanitize_tiny_mce(field)
    ActionController::Base.helpers.sanitize(field,
      :tags => %w(a b i strong em p param h1 h2 h3 h4 h5 h6 br hr ul li img),
      :attributes => %w(href name src type value width height data) );
  end
end

Then in my Models the code collapses to

class MyModel < ActiveRecord::Base
  include ::SanitizeUtilities
...
  before_save :sanitize_content
...
  def sanitize_content
    self.content = sanitize_tiny_mce(self.content)
  end

end

This seems to strip out unwanted markup without too much fuss.

Pretty new to rails so nervous I might be doing something wrong. Can anybody see potential drawbacks here?

Thanks again

Answer

iwasrobbed picture iwasrobbed · Jan 19, 2012

I think the way you are doing it is fine, but if you are using before_save then you could potentially still fail validations (since before_save is called after validations). Also, you don't necessarily have to put it into it's own module, it could just be a private method on your class.

Something like:

class MyModel < ActiveRecord::Base

  before_validation :sanitize_content, :on => :create

  private
    def sanitize_content
      self.content = sanitize_tiny_mce(self.content)
    end
    def sanitize_tiny_mce(field)
      ActionController::Base.helpers.sanitize(field,
        :tags => %w(a b i strong em p param h1 h2 h3 h4 h5 h6 br hr ul li img),
        :attributes => %w(href name src type value width height data) );
    end

end

Related questions

Check if record exists from controller in Rails

In my app a User can create a Business. When they trigger the index action in my BusinessesController I want to check if a Business is related to the current_user.id: If yes: display the business. If no: redirect …

Read More
Can you do greater than comparison on a date in a Rails 3 search?

I have this search in Rails 3: Note.where(:user_id => current_user.id, :notetype => p[:note_type], :date => p[:date]).order('date ASC, created_at ASC') But I need the :date => p[:date] condition to be …

Read More
How to chain scope queries with OR instead of AND?

I'm using Rails3, ActiveRecord Just wondering how can I chain the scopes with OR statements rather than AND. e.g. Person.where(:name => "John").where(:lastname => "Smith") That normally returns: name = 'John' AND lastname = 'Smith' but I'd like: `…

Read More