views:

30

answers:

2

I want my application to sanitize html on input rather than on display, so that the fields saved into the database are sanitized.

I've been doing this with strip_tags, and it was working great. However, this has the downside that it means the user can't input anything that's bracketed with < and >.

How can I tell Rails in the model to securely escape tags before saving them to the database? I'd like to not have to call h on the sanitized fields again before using them in the views.

+1  A: 

You could call the h method in a before_save filter.

Jakub Hampl
A: 

One option is to use the plugin xss_terminate: http://code.google.com/p/xssterminate/

By default it strips all HTML tags from user input.

Greg