Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
Is it safe to use the ‘raw’ helper in a Rails app that may have many users?
I will be integrating TinyMCE with my app, for users to add HTML content to some form of post. Is it a security issue to use ‘raw’ to display their content?
Or is there a more proper way of doing things?
Thanks!
From the fine manual:
So, yes, using
rawcan be bit of a security issue (for your users) unless you properly sanitize the HTML that comes in.You shouldn’t trust the client. Even if you’ve set up TinyMCE with a limited set of tags, you have no guarantee that the HTML that your server receives actually came from TinyMCE or that someone hasn’t worked around TinyMCE in some way.
If you’re accepting HTML from users, then you need to whitelist both the tags and attributes before you store it.
You can use Nokogiri to parse the incoming HTML tag by tag, if a tag is on your whitelist then let it through, if you aren’t explicitly allowing that tag (i.e. it isn’t on your whitelist) then throw it away. And, you’ll want to check the attributes on the tags you let through so that only attributes and attribute values that you want get through. Any tags, attributes, or attribute values that aren’t on your whitelists get thrown away. Once you’ve scrubbed the incoming HTML, you can store it and safely present it to your user’s using the
rawhelper.This added complexity is one reason that a lot of sites use Markdown, BB-Code, or some other markup language that generates HTML.