Sanitizing input in Rails
Rails offers the html_escape
method (usually shortened to h
), which prevents simple attempts at code injection. However, when users are entering content onto a site, there is a very good case for sanitizing the input. After all, if a rogue user is injecting unwanted code into my HTML forms, why would I want to store it in my database? It makes sense to neutralize it before it gets stored.
A couple of years ago Jay Laney wrote a plugin called sanitize_params to do precisely that. It uses Rick Olsen’s white_list plugin to sanitize incoming params before they hit the controller.
Since then, Rick’s plugin has been incorporated into the Rails trunk as the Sanitizer module (the HTML::Sanitizer::WhiteListSanitizer
class does more-or-less the same job as the original white_list
method in his plugin).
As Rick pointed out some time ago, “the common technique was to mix the helpers directly in to your model and call them directly. However, I recently just refactored a lot of that code into the html tokenizer library. You can now access the classes directly as HTML::Sanitizer, HTML::LinkSanitizer, and HTML::WhiteListSanitizer”.
So, I downloaded the original plugin, amended the code to use HTML::WhiteListSanitizer, installed it into my application and then uploaded it to github.
It seems to work very nicely now.