user3631047 user3631047 - 10 months ago 82
HTML Question

How to save and retrieve HTML tags in database in rails?

I need to save and retrieve HTML tags in database in my rails app safely. Currently I save HTML without any validation like below:

<h2>Sample title</h2>
<p>sample description</p>

and in the view I use
<%=raw @page.desription %>
. It works as expected. But I need to know if it is safe or not?


You can never be sure it is safe. Always treat all user input as hostile.

However, if by "safe" you mean "devoid of potentially really harmful elements like <script>s and <style>s", then I present to you the Sanitization Helper. You can print your HTML from the database and only allow a certain whitelist of tags.

<%=raw sanitize @page.description, tags: %w(h2 p strong em a), attributes: %w(id class href) %>

The above example will allow all h2, p, strong, em and a tags, and only the id, class and href attributes on them. Everything else will be removed.