0

We were using a combination of the Sanitize gem and HTMLEntities to do some clean up of user input HTML. The Sanitize gem used Hpricot, but now uses Nokogiri. I need to get Hpricot out of the app.

Here are two test strings, each followed by the output I'm expecting:

Test string 1:

"SOME TEXT < '<span style='background-image: url(\"http://evil.ru/webbug.png\")'>MORE' & TEXT!!!</span>"

expected_text = "SOME TEXT < 'MORE' & TEXT!!!"

Second test string (a slightly different path):

'Support <i>odd</i> chars like " < \' ‽'

expected_text = 'Support <i>odd</i> chars like &quot; &lt; &#39; ‽'

Is this something you've solved? What tools did you use?

John Topley
  • 113,588
  • 46
  • 195
  • 237
whatbird
  • 1,552
  • 1
  • 14
  • 25
  • Sorry, I cannot understand your question. You say your tests are failing. What's the result you are getting instead of the expected one. Do you want some tags to be sanitized, some to remain, and special chars to be escaped to HTML entities? – Macario Jul 13 '12 at 15:35
  • i've edited the question for clarity. but yes, for the first string, i expect html tags to be stripped, but the loose '<' to remain. – whatbird Jul 13 '12 at 16:35

1 Answers1

2

You may want to try the Loofah gem:

Loofah.document("SOME TEXT < '<span style='background-image: url(\"http://evil.ru/webbug.png\")'>MORE' & TEXT!!!</span>").to_html
=> "SOME TEXT MORE' &amp; TEXT!!!"

Loofah isn't handling the unicode character in the second example for some reason, but I'd be happy to look into it if you file a Github Issue on Loofah (full disclosure: I'm the author of Loofah and co-author of Nokogiri).

Some more links:

Mike Dalessio
  • 1,352
  • 9
  • 11