开发者

my rails 3 app needs to accept html data, and display it but safely! how to minimize security perils?

开发者 https://www.devze.com 2023-02-13 03:28 出处:网络
One of the features of my app is to permit a user to add their facebook or twitter \'button\' to their profile.

One of the features of my app is to permit a user to add their facebook or twitter 'button' to their profile.

The 'obvious' approach is give them a text_area field, have them paste the facebook or twitter 'code', then on their profile display raw fbk_button_field and raw twitter_button_field

(Facebook is an iframe, twitter is a reference to remote aj开发者_如何学Pythonax).

But obviously a user could paste anything into that field, and I'm assuming Thats A Pretty Bad Thing that leaves the system open to a variety of exploits.

So what is the right way to permit users to add 'social buttons' to their profile, without being able to insert an exploit instead.


The most secure solution would be to have them enter their Twitter or Facebook account and recreate the button yourself. That way you can easily strip HTML from the account name and you don't have to worry.

While the above is ideal, you could also use something like the sanitize gem to strip out HTML tags and attributes.

0

精彩评论

暂无评论...
验证码 换一张
取 消