Omit HTML but keep <br> tags in rails

Question

I need to display user comments, omitting HTML to prevent attacks (when custom styled elements can be posted as comments) The only thing, i would like to keep by displaying - is
tag

I displaying the comment in this way:

<p class="content"><%=h comment.content.gsub(/\n/,"<br/>") %></p>

Comment is suppossed to be saved in database without any markup

Line ending are converted to "br" tags

But, sure, they are gone, because of =h output mode.

Is there a way to kill all html, except "br" tags ?

Answer 1

I'd recommend to use white_list plugin. It's safety for XSS attacts and you will be able to control list of allowed tags

Answer 2

You could either use sanitize which keeps only specified HTML tags:

<%= sanitize comment.content.gsub(/\n/,"<br/>"), :tags => ['br'] %>

or (in your case preferably) change the order of both and do the html_escape yourself:

<%= html_escape(comment.content).gsub(/\n/,"<br/>") %>