h method, TextHelper, sanitize(), strip_tags()

Now that I have my rudimentary commenting system, I thought it best to add some level of security to my site. All I need is some malicious visitor to stop by and insert a load of javascript into my comment system and- bam! my site is a walking timebomb.

So I ventured over to the wonderful world of the Rails API to find a suitable quick fix (as I plan on putting more effort into this later). After scanning the documentation I came across 3 ways to accomplish my task. Enter option 1:

I could simply add the h method in every place I output the potentially dangerous contents. Quite easy to remember - but I am not too keen on using it for my situation - besides it would have to process those comments everytime they are pulled out of the database!

That alone drove me to find another, better solution. However, other flaws exist with this option - such as if the way you output changes (or the number of fields outputed changes) you would have to remember to always have that 'h' in the right spot.

Too much maintenance!

Now, enter option 2 and 3, both of which come from ActionView::Helpers::TextHelper and are easily used by adding this to your application.rb (or to a single controller if you so desire):

Simple enough- if you run into a RoR error message such as:

Then it means you didn't properly include TextHelper.

Now that you have included TextHelper you can use the following 2 options without shame or fear of reprimand:

The difference between the 2 functions is simple - strip_tags REMOVES all html tags, while sanitize EXCHANGES '<' with & lt; thus both effectively removing html or javascript threats (others as well).

My decision was to go with the sanitize() method and use it to fix up comment posts before inserting them into the database (that way I can still see who was trying to be not-so-nice, and so can everyone else!).

Well, The post today is simple and short, but I plan on getting more time to work on RoR this week. Happy Easter!