HTML Question
How to save and retrieve HTML tags in database in rails?
I need to save and retrieve HTML tags in database in my rails app safely. Currently I save HTML without any validation like below:
<h2>Sample title</h2>
<p>sample description</p>
and in the view I use
<%=raw @page.desription %>
Answer
You can never be sure it is safe. Always treat all user input as hostile.
However, if by "safe" you mean "devoid of potentially really harmful elements like <script>s and <style>s", then I present to you the Sanitization Helper. You can print your HTML from the database and only allow a certain whitelist of tags.
<%=raw sanitize @page.description, tags: %w(h2 p strong em a), attributes: %w(id class href) %>
The above example will allow all h2, p, strong, em and a tags, and only the id, class and href attributes on them. Everything else will be removed.
Source (Stackoverflow)