9

I know I can use the ActionView helper strip_tags method in my views to sanitize output, but what is the best way to sanitize user input before I persist it to my db? Should I find a way to include the view helper in my controller and reuse the strip_tags method? I thought rails would have something available globally to do something like this.

Ryan Bigg
  • 106,965
  • 23
  • 235
  • 261
Zakir Hemraj
  • 949
  • 3
  • 12
  • 18

4 Answers4

4

What about the xss_terminate plugin ?

Reuben Mallaby
  • 5,740
  • 4
  • 47
  • 45
  • 3
    2 years later and two downvotes with no comments - comments would at least help things more clear for other users. Note: at the time of the answer we were using Rails 2 and things weren't as great as they are now! – Reuben Mallaby Jan 08 '12 at 16:36
0

maybe sanitize gem: http://wonko.com/post/sanitize

tig
  • 25,841
  • 10
  • 64
  • 96
-1

Why do you want to sanitize user inputs? That doesn't even make any sense! You always want to sanitize (escape) outputs, not inputs, because the meaning of sanitization depends on the context that you are using the content in. There is no such thing as a string that is safe in any context. You do not want a bunch of mangled strings in your database that are "safe" in whatever scenario your application is using them today, because tomorrow, you might want to do something different with them. If your presentation layer is doing the right thing (escaping content based on the context), then you're fine, no matter how many quotes, backslashes or DROP TABLE statements are in them.

Enno
  • 1,736
  • 17
  • 32
  • In some cases it makes sense to "sanitize" user input before storing it in the database. For example, if a user enters his last name as "

    Smith

    ", then it doesn't make sense to store the html tag in the database. In this case, it's nice to strip the html tag before saving the last name in the database.
    – Zack Xu Aug 05 '15 at 13:16
  • The original question related to injection (XSS and HTML), in which case I hold that sanitization is *always* worng. But even if you somehow got garbage in the string, what are your chances that the sanitization is going to find the garbage? It's difficult for an algorithm to figure out what part is and is not a name. For example, when is that ampersand part of a HTML entity, and when is it part of a name like "Smith & Wesson"? Pretty soon, you end up with this: http://www.kalzumeus.com/2010/06/17/falsehoods-programmers-believe-about-names/ – Enno Aug 06 '15 at 15:09
-1

Why do you need to sanitize the user's input?

Typically, all that is needed is rigorous, context-aware encoding/escaping of the user's input any time you print it or embed it within a larger block of output.

yfeldblum
  • 65,165
  • 12
  • 129
  • 169
  • No sense leaving malicious code just sitting in your database. Multiple attack vectors into web applications are already common place and this just seems like an easy thing to fix, IMO. Defense in depth, ya know? – phreakre May 21 '10 at 14:03
  • Rails 3 takes the correct approach. It automatically html-escapes anything (including user-inputted data) being output into the html, except those specific items which the programmer indicates are already html-safe. Rails 3 does defense in depth, and it does so in the correct and rigorous way, with data being escaped in the correct place and at the correct time. – yfeldblum May 22 '10 at 00:02