I know I can use the ActionView helper strip_tags method in my views to sanitize output, but what is the best way to sanitize user input before I persist it to my db? Should I find a way to include the view helper in my controller and reuse the strip_tags method? I thought rails would have something available globally to do something like this.
views:
597answers:
3
A:
Why do you need to sanitize the user's input?
Typically, all that is needed is rigorous, context-aware encoding/escaping of the user's input any time you print it or embed it within a larger block of output.
Justice
2009-10-18 05:11:19
No sense leaving malicious code just sitting in your database. Multiple attack vectors into web applications are already common place and this just seems like an easy thing to fix, IMO. Defense in depth, ya know?
phreakre
2010-05-21 14:03:31
Rails 3 takes the correct approach. It automatically html-escapes anything (including user-inputted data) being output into the html, except those specific items which the programmer indicates are already html-safe. Rails 3 does defense in depth, and it does so in the correct and rigorous way, with data being escaped in the correct place and at the correct time.
Justice
2010-05-22 00:02:29