Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a partial that contains this sanitize() code:
<%= sanitize comment.body,
:tags => %w(a b embed i img object p param),
:attributes => %w(allowfullscreen allowscriptaccess href name src type value) %>
I’d like users to be able to embed videos, links, pictures, use italics, bold, etc.
How unsafe is this and if I put this on a live website what should I expect or be prepared to deal with?
Note: this is assuming there is no sanitizing of input obviously.
Thanks for reading.
The tags you really have to watch out for is <script/> and <object/>.
If allowing videos, you should either validate against an acceptable object format that matches the expected values coming from YouTube and other systems OR (ideally) create a UI that handles the embedding for the user.
Last year I created a system that allowed video embedding by taking a YouTube URL and manually deriving the object embed code. It had the benefit of making the user experience pretty streamlined as well as protecting the system from a potential vector of attack.
Oh, and other thing – use strong an em, rather than b and i if you can.