Stack Overflow
Stack Overflow

Questions tagged [sanitize]

Whitelist-based Ruby HTML and CSS sanitizer.

Sanitize is a whitelist-based HTML and CSS sanitizer. Given a list of acceptable elements, attributes, and CSS properties, Sanitize will remove all unacceptable HTML and/or CSS from a string.

Using a simple configuration syntax, you can tell Sanitize to allow certain HTML elements, certain attributes within those elements, and even certain URL protocols within attributes that contain URLs. You can also whitelist CSS properties, @ rules, and URL protocols you wish to allow in elements or attributes containing CSS. Any HTML or CSS that you don't explicitly allow will be removed.

Sanitize is based on Google's Gumbo HTML5 parser, which parses HTML exactly the same way modern browsers do, and Crass, which parses CSS exactly the same way modern browsers do. As long as your whitelist config only allows safe markup and CSS, even the most malformed or malicious input will be transformed into safe output.

411 questions
9
votes
4 answers

Sanitize input XSS and HTML input in rails

I know I can use the ActionView helper strip_tags method in my views to sanitize output, but what is the best way to sanitize user input before I persist it to my db? Should I find a way to include the view helper in my controller and reuse the…
Zakir Hemraj
  • 949
  • 3
  • 12
  • 18
8
votes
2 answers

How to handle sanitizing in JavaScript editors that allow formatting

Many editors like Medium offers formatting now. From what I see in the DOM it simply adds HTML. But how do you sanitize this kind of input without losing the formatting applied by the user? E.g. clicking bold adds:
Mahoni
  • 7,088
  • 17
  • 58
  • 115
7
votes
4 answers

Sanitize contact form without mysql_real_escape_string

I normally use this function to sanitize my form inputs before storing them into my database: //Function to sanitize values received from the form. Prevents SQL injection function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc())…
Brooke.
  • 3,691
  • 13
  • 49
  • 80
7
votes
2 answers

Rails 4 Sanitizing User Input

I am currently making an API using Ruby on Rails. I was just wondering in general if there are built in Rails methods or libraries/gems to sanitize Json and SQL or if Rails 4 does this by default? I am most worried about such cases where I have an…
timmy
  • 95
  • 1
  • 7
7
votes
2 answers

Codeigniter - best practice to sanitize input

I would like to know what's the best practice to sanitize user input using Codeigniter. I understands that CI offers form_validation, such as set_rules. 'set_rules'=>'trim|xss_clean|alpha_numeric|htmlspecialchars' "Any native PHP function that…
vincent
  • 115
  • 1
  • 1
  • 5
6
votes
1 answer

Bypass security of HTML import

I am importing an HTML snippet from a third party and embedding it into some placeholder outside my Angular 7 application. There's one link starting with javascript: inside the snippet that will be prefixed with unsafe: by Angular which breaks its…
dude
  • 5,678
  • 11
  • 54
  • 81
6
votes
2 answers

Sanitizing PHP Variables, am I overusing it?

I've been working with PHP for some time and I began asking myself if I'm developing good habits. One of these is what I belive consists of overusing PHP sanitizing methods, for example, one user registers through a form, and I get the following…
Cristian D
  • 673
  • 5
  • 21
6
votes
1 answer

Are there any better alternatives to Sanitize for a Ruby app?

I love Sanitize. It's an amazing utility. The only issue I have w/ it is the fact that it takes forever to prepare a development environment w/ it because it uses Nokogiri, which is a pain for compile time. Are there any programs that do what…
T145
  • 1,415
  • 1
  • 13
  • 33
6
votes
2 answers

What is the difference between using ? and % when sanitizing fields in ActiveRecord?

I've been puzzled for a while over the difference between using a question mark, e.g. Foo.find(:all, :conditions => ['bar IN (?)', @dangerous]) and using sprintf style field types, e.g. Bar.find(:all, :conditions => ['qux IN (%s)', @dangerous]) in…
Alexander Clark
  • 763
  • 1
  • 7
  • 15
6
votes
2 answers

Sanitizing string to prevent relative URI paths

I have this HTTP handler I created to update information in a local SQL Express database. I realised that it was possible for a user to use relative URI paths "/../../file.zip" as the query string, and would be able to download files outside of the…
Rikki B
  • 636
  • 8
  • 23
6
votes
3 answers

PHP Removing Windows ^M Character

I have a CSV I am downloading from a source I'm not in control of and the end of each line is a ^M character when printed to a bash terminal. How can I sanitize this input programmatically in PHP?
nsfyn55
  • 14,875
  • 8
  • 50
  • 77
5
votes
2 answers

Function call inside ngStyle gets sanitized

I have a problem with style sanitization with Angular 8. I've used ngStyle multiple times, but this time i cannot set the border of a td element. I am trying to set the border style based on a field. If this field has a relevant content for me then…
Federico Andreoli
  • 465
  • 4
  • 17
5
votes
1 answer

Is safe for sanitize?

I am using a rich text editor (CKEditor) and I have the opportunity to let users create profiles that are displayed to other users. Many of the attributes CKEditor can control are being lost when I display them as: <%= sanitize(profile.body) %> My…
sscirrus
  • 55,407
  • 41
  • 135
  • 228
5
votes
0 answers

Rails: security implications of whitelisting table tags in Rails' sanitizer?

I see that Rails doesn't whitelist table tags by default for its sanitizer. Is there any particular security reason for this? I can't think of any, but I'm using CKEditor to allow user input of HTML tags, and I'd like them to use tables if they want…
Brandon
  • 91
  • 5
1 2
3
27 28