0

I want use RedCloth gem, i install it, in my gemfile i put -> gem 'RedCloth' in my show.html.erb i put ->

<%= RedCloth.new(@post.text).to_html %>

and i saw simple html syntax, than i use 

<%= raw RedCloth.new(@post.text).to_html %>

and it work perfect, it's not safe
@post.text -> puts by some user

and when i put <script> alert('!!!') </script> i saw "!!!" in alert

How to use RedCloth safely ( or recomend another gem )

Dmytro Vasin
  • 823
  • 2
  • 11
  • 22
  • Check this similar question: http://stackoverflow.com/questions/501737/how-do-i-textile-and-sanitize-html – gparis Aug 28 '12 at 13:09

1 Answers1

0

The sanitize gem https://github.com/rgrove/sanitize/ is a solid choice for whitelisting only certain html elements and blocking others (eg )

John Paul Ashenfelter
  • 3,135
  • 1
  • 22
  • 29