Stack Overflow
Stack Overflow

Questions tagged [sanitize]

Whitelist-based Ruby HTML and CSS sanitizer.

Sanitize is a whitelist-based HTML and CSS sanitizer. Given a list of acceptable elements, attributes, and CSS properties, Sanitize will remove all unacceptable HTML and/or CSS from a string.

Using a simple configuration syntax, you can tell Sanitize to allow certain HTML elements, certain attributes within those elements, and even certain URL protocols within attributes that contain URLs. You can also whitelist CSS properties, @ rules, and URL protocols you wish to allow in elements or attributes containing CSS. Any HTML or CSS that you don't explicitly allow will be removed.

Sanitize is based on Google's Gumbo HTML5 parser, which parses HTML exactly the same way modern browsers do, and Crass, which parses CSS exactly the same way modern browsers do. As long as your whitelist config only allows safe markup and CSS, even the most malformed or malicious input will be transformed into safe output.

411 questions
5
votes
3 answers

Save sentence as server filename

I'm saving the recording of a set of sentences to a corresponding set of audio files. Sentences include: Ich weiß es nicht! ¡No lo sé! Ég veit ekki! How would you recommend I convert the sentence to a human readable filename which will later be…
Baz
  • 12,713
  • 38
  • 145
  • 268
5
votes
1 answer

Rails: What is `sanitize` in Rails?

What does sanitize mean in Rails? I'm reading through the documentation for CanCanCan. It says: When using strong_parameters or Rails 4+, you have to sanitize inputs before saving the record, in actions such as :create and :update. Then per…
tim_xyz
  • 11,573
  • 17
  • 52
  • 97
5
votes
5 answers

PHP: How to mass replace $_POST[...] with strip_tags($_POST[...])

I'm currently recovering from a nasty XSS attack, and realized I never sanitized inputs on several of the forms on my site. I used Notepad++'s Find In Files feature to search for $_POST in all my PHP files, and got almost 5,000 results. Now, I…
Mike Turley
  • 51
  • 1
  • 1
  • 2
5
votes
4 answers

Rails 4 Sanitize remove style attribute from element

I use sanitize gem in order to clean input. Now I need to allow adding style to span. Actually i want to allow only specific styles (font-style, font-weight and text-decoration), but at the moment I even cannot manage to allow style attribute. I use…
guyaloni
  • 4,972
  • 5
  • 52
  • 92
5
votes
2 answers

Protect Express against XSS: is it sufficient to encode HTML entities of whole incoming request?

I have an Express app that I want to protect against XSS. I red some pages about XSS - including OWASP ones, and in view of my application characteristics, I decide to write a middleware that encode HTML entities - more precisely XML entities,…
nlc
  • 65
  • 1
  • 5
5
votes
4 answers

Is hexing input sufficient to sanitize SQL Queries?

I was reading last night on preventing SQL injections, and I ran across this answer: How can I prevent SQL injection in PHP? The comments from 'Your Common Sense' made it sound like that was dysfunctional/unsafe. However, in my (albeit limited)…
Joshua Broekhuijsen
  • 71
  • 5
5
votes
1 answer

why jsoup remove inlined stylesheet?

i use jsoup for protect my app from XSS attack. i get all all input parameter and do Jsoup.clean on thats. but i have a problem with that. it remove all inlined stylesheet! why? i have a part in my app that user can write a text and publish it as…
Rasoul Taheri
  • 802
  • 3
  • 16
  • 32
5
votes
3 answers

Strip Inline CSS and JavaScript in Rails

I'm working on a Rails application and I would like to know what's the best way to strip blocks of CSS or JavaScript. -or- I'm using the strip_tags helper to take care of most of the HTML, but it leaves…
Ruben
5
votes
2 answers

How best to sanitize rich html with rails?

I'm looking for advice on how to clean submitted html in a web app so it can be redisplayed in future with out styles or unclosed tags wrecking the layout of an app. On my app rich HTML is submitted by users with YUI Rich text editor, which by…
Chris Adams
  • 2,721
  • 5
  • 33
  • 45
5
votes
3 answers

Is it dangerous thing to view access log without sanitizing via web browser?

Is it dangerous thing to view access log without sanitizing via web browser? I am considering to record access log, and I am considering to view it via wev browser, but if attacker modifies his remote host or user agent or something, can he…
jim-prove
  • 263
  • 2
  • 7
4
votes
4 answers

PHP - Filter_var alternative?

I built a php script to output data posted in a form, but I ran into a problem. The server the website is going to run on, runs PHP 5.1.6. This version of PHP does not support filter_var. I need to know an alternative on short term (preferably…
WebGremlin
  • 113
  • 3
  • 11
4
votes
3 answers

Ruby on Rails: How can i remove/delete/sanitize script, style tags from text input?

<%= form_for @post.comments.new do |f| %> Name:<%= f.text_field :name %>
Email:<%= f.text_field :email %>
Body:<%= f.text_area :content %>
<%= submit_tag "Comment" %> <% end %> I need to delete/remove/sanitize…
cola
  • 12,198
  • 36
  • 105
  • 165
4
votes
7 answers

SQL Injection, Quotes and PHP

I'm quite confused now and would like to know, if you could clear things up for me. After the lateste Anon/Lulsec attacks, i was questioning my php/mysql security. So, i thought, how could I protect both, PHP and Mysql. Question: Could anyone…
ptmr.io
  • 2,115
  • 4
  • 22
  • 34
4
votes
0 answers

What does ActiveRecord::Base.sanitize do?

Will sanitize deal with sql injection? From its source code: (extracted from here) def sanitize(object) #:nodoc: connection.quote(object) end sanitize uses `quote, whose source code (extracted from here) is: def quote(value, column =…
laahaa
  • 327
  • 3
  • 12
4
votes
2 answers

mysql data masking

Hi I'd like to a take a production database and use it in a private, development environment. But, I'd like to anonymize the data. I've been searching for an hour, but everything I find is for Oracle or SQL Server... nothing for mysql. I have…
Todd M
  • 1,012
  • 1
  • 15
  • 25
1 2 3
27 28