I have a partial that contains this sanitize() code:
<%= sanitize comment.body,
:tags => %w(a b embed i img object p param),
:attributes => %w(allowfullscreen allowscriptaccess href name src type value) %>
I'd like users to be able to embed videos, links, pictures, use italics, bold, etc.
How unsafe is this and if I put this on a live website what should I expect or be prepared to deal with?
Note: this is assuming there is no sanitizing of input obviously.
Thanks for reading.
The tags you really have to watch out for is <script/> and <object/>.
If allowing videos, you should either validate against an acceptable object format that matches the expected values coming from YouTube and other systems OR (ideally) create a UI that handles the embedding for the user.
Last year I created a system that allowed video embedding by taking a YouTube URL and manually deriving the object embed code. It had the benefit of making the user experience pretty streamlined as well as protecting the system from a potential vector of attack.
Oh, and other thing - use strong an em, rather than b and i if you can.