I am trying to include a section wherein my users can input HAML and
view the resulting HTML page.
I would like to make this as un-exploitable as possible.
This is what I have in place now:
= Haml::Engine.new(current_user.userinput).render(self)
This is obviously no good.
Previously, I was using standard HTML, and used sanitize to allow only
a certain array of tags, e.g.
= sanitize current_user.userinput, :tags => %w(div br span a h1 h2
h3 ul li hr b em img), :attributes => %w(style href id class title
src)
Is there anyway to combine the two? I'd like to only allow specific
tags in both html or haml to be processed, and everything else,
including ruby code, to be ignored/escaped.
--
You received this message because you are subscribed to the Google Groups "Ruby on Rails: Talk" group.
To post to this group, send email to rubyonrails-talk@googlegroups.com.
To unsubscribe from this group, send email to rubyonrails-talk+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rubyonrails-talk?hl=en.
No comments:
Post a Comment