Stack Overflow
Stack Overflow

Questions tagged [sanitize]

Whitelist-based Ruby HTML and CSS sanitizer.

Sanitize is a whitelist-based HTML and CSS sanitizer. Given a list of acceptable elements, attributes, and CSS properties, Sanitize will remove all unacceptable HTML and/or CSS from a string.

Using a simple configuration syntax, you can tell Sanitize to allow certain HTML elements, certain attributes within those elements, and even certain URL protocols within attributes that contain URLs. You can also whitelist CSS properties, @ rules, and URL protocols you wish to allow in elements or attributes containing CSS. Any HTML or CSS that you don't explicitly allow will be removed.

Sanitize is based on Google's Gumbo HTML5 parser, which parses HTML exactly the same way modern browsers do, and Crass, which parses CSS exactly the same way modern browsers do. As long as your whitelist config only allows safe markup and CSS, even the most malformed or malicious input will be transformed into safe output.

411 questions
16
votes
3 answers

Strip style attributes with nokogiri

I'm scrapling an html page with nokogiri and i want to strip out all style attributes. How can I achieve this? (i'm not using rails so i can't use it's sanitize method and i don't want to use sanitize gem 'cause i want to blacklist remove not…
keepitterron
  • 1,052
  • 1
  • 8
  • 12
16
votes
6 answers

Is it safe to use user input for Python's regular expressions?

I would like to let my users use regular expressions for some features. I'm curious what the implications are of passing user input to re.compile(). I assume there is no way for a user to give me a string that could let them execute arbitrary…
Skeletron
  • 233
  • 3
  • 7
15
votes
3 answers

How good is the Rails sanitize() method?

Can I use ActionView::Helpers::SanitizeHelper#sanitize on user-entered text that I plan on showing to other users? E.g., will it properly handle all cases described on this site? Also, the documentation mentions: Please note that sanitizing …
Tom Lehman
  • 85,973
  • 71
  • 200
  • 272
14
votes
1 answer

Using Wordpress, can some one tell me the best way of sanitizing input?

I'm developing an application using Wordpress as a CMS. I have a form with a lot of input fields which needs to be sanitized before stored in the database. I want to prevent SQL injection, having javascript and PHP code injected and other harmful…
Steven
  • 19,224
  • 47
  • 152
  • 257
13
votes
5 answers

Rails Gem sanitize - How to whitelist &

Right now we're using the sanitize gem: https://github.com/rgrove/sanitize Problem is if you enter "hello & world" sanitize is saving that in the DB as: hello & world How can you whitelist the & . We want sanitize to remove all possible…
AnApprentice
  • 108,152
  • 195
  • 629
  • 1,012
13
votes
4 answers

PHP Sanitize Data

I am new to the world of coding and PHP hence would like to learn what's the best way to sanitize form data to avoid malformed pages, code injections and the like. Is the sample script I found below a good example? Code originally posted at…
PeanutsMonkey
  • 6,919
  • 23
  • 73
  • 103
12
votes
1 answer

Ruby on Rails: How to sanitize a string for SQL when not using find?

I'm trying to sanitize a string that involves user input without having to resort to manually crafting my own possibly buggy regex if possible, however, if that is the only way I would also appreciate if anyone can point me in the right direction to…
William Jones
  • 18,089
  • 17
  • 63
  • 98
12
votes
2 answers

Howto sanitize inputs

I am willing to use "OWASP ESAPI for Java" to sanitize users inputs when they submits forms in a Tomcat Webapp. I used to use org.apache.commons.lang.StringEscapeUtils like this: public static String myEscapeHtml(String s) { String…
Léa Massiot
  • 1,928
  • 6
  • 25
  • 43
12
votes
4 answers

Truncate + Sanitize in Rails Views

I ran into a small problem today when I was trying to use sanitize and truncate in conjunction with one another to create an excerpt for my blog. Each of the methods worked by itself, but used together it would only truncate. I tried both of these…
user2649201
  • 121
  • 4
11
votes
2 answers

sanitize user input for child_process.exec command

I'm writing a CLI using node and I've arrived at the part where I take user input and append it to a string that is the command for the child_process.exec function. const CURL_CHILD = exec('npm view --json ' + process.argv[2] + ... I am trying to…
Kraken
  • 5,043
  • 3
  • 25
  • 46
10
votes
1 answer

Sanitise in wordpress but keep html

I understand that sanitising user input is important and i want to make sure bad stuff is removed but i also want to be able to have users add html to a custom field. The wordpress sanitise text field function does a great job but i want to tell it…
binarystarr
  • 157
  • 2
  • 8
9
votes
6 answers

Ruby on Rails: Allow less than sign '<' inside code block with sanitize helper

I'm trying to escape user generated content in Rails. I have used raw with sanitize and raw helpers to filter content like this: raw(sanitize(code, :tags => ['<', 'h2','h3','p','br','ul','ol','li','code','pre','a'] )) The list of tags mentioned…
mansoor.khan
  • 2,309
  • 26
  • 39
9
votes
3 answers

How can I sanitize all params coming into a Sinatra app?

In a similar Rails app, I was able to make a recursive Hash-checking function which then runs the Sanitize gem's clean/fragment method to remove any HTML elements from incoming params hash. I used a before filter in the application_controller so…
rcd
  • 1,348
  • 1
  • 14
  • 27
9
votes
2 answers

AngularJS create html/link/anchor from text (escape/unescape html in view)

I have a controller that has an assigned value: $scope.post = 'please visit http://stackoverflow.com quickly'; I have some text in my html:

{{post}}

I would like to make a clickable link of the url (surround it with anchor tags). I tried…
Daan
  • 7,685
  • 5
  • 43
  • 52
9
votes
2 answers

which one should performe first ? sanitizing or validation

i have a field in my registration form that contains for instance a name field,it will be stored in database in a field called user_name varchar(20). it's clear that i should validate the user input if i validate this field frist with code below: …
naazanin
  • 107
  • 1
  • 5
1
2
3
27 28