{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 太酷不给撩 的问题《Rails3 and safe nl2br !》','https://www.manongdao.com/q-1315709.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I have a system for the users to be able to post comments.
The comments are grasped into a textarea.
My problem is to format the comments with br tag to replace \n
In fact, i could do something like that
s.gsub(/\n/, '<br />')
But the xss protection including in rails escapes br tags.
So i could do this
s.gsub(/\n/, '<br />').html_safe
But then, all the tags are accepted even script.... causing a big security problem
So my question is : how to format text with br safely ?
Thanks
EDIT: For now, i have add this
def sanitaze
self.gsub(/(<.*?>)/, '')
end
def nl2br
self.sanitaze.gsub(/\n/, '<br />').html_safe
end
Here's what I did:
The best way I can figure to go about this is using the sanitize method to strip all but the BR tag we want.
Assume that we have
@varwith the content"some\ntext":Trying
<%= @var.gsub(/\n/, '<br />') %>doesn't work.Trying
<%= h @var.gsub(/\n/, '<br />').html_safe %>doesn't work and is unsafe.Trying
<%= sanitize(@var.gsub(/\n/, '<br />'), :tags => %w(br) %>WORKS.I haven't tested this very well, but it allows the BR tag to work, and replaced a dummy script alert I added with white space, so it seems to be doing its job. If anyone else has an idea or can say if this is a safe solution, please do.
Update:
Another idea suggested by Jose Valim:
<%= h(@var).gsub(/\n/, '<br />') %>WorksAs Ryan Bigg suggested
simple_formatis the best tool for the job: it's 'l safe' and much neater than other solutions.so for @var:
If you need to sanitize the text to get rid of HTML tags, you should do this before passing it to
simple_formathttp://api.rubyonrails.org/classes/ActionView/Helpers/TextHelper.html#method-i-simple_format