Anyone who’s done anything much with PHP and receiving rich-text input from something like

Question

0

Asked: May 22, 20262026-05-22T14:38:50+00:00 2026-05-22T14:38:50+00:00

Anyone who’s done anything much with PHP and receiving rich-text input from something like

0

Anyone who’s done anything much with PHP and receiving rich-text input from something like TinyMCE has (probably) used something like HTMLPurifier to keep the nasties out of the HTML you’re intentionally allowing the user to submit.

For example, HTMLPurifier will take a string of (potentially malformed) HTML and strip out disallowed elements and attributes, try to fix broken HTML, and in some cases convert things like <i> to <em>.

Does anything equivalent exist for Rails (3)? What’s the generally accepted way to sanitize input from rich text editors in Rails so that you can output the unescaped HTML onto a web page and know that stuff like <style> and <script> tags have been taken out of it and it’s not going to break your page (or steal your cookies!)?

EDIT | Anybody used Sanitize? Any other options with pro’s & con’s?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-22T14:38:51+00:00

Editorial Team

2026-05-22T14:38:51+00:00Added an answer on May 22, 2026 at 2:38 pm

You can use the sanitize method.

sanitize(html)

There is also a Sanitize gem.

Sanitize.clean(html)

I tend to prefer the Sanitize gem because it can be used as a before_save filter in your models instead of having to use the sanitize method in each of your views.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Anyone who’s done anything much with PHP and receiving rich-text input from something like

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply