search

extension / learn

learn.extension.org version2; retired spring 2020
http://learn.extension.org
Other
3 stars 0 forks source link

Sanitize and scrub event attributes #22

Closed jasonadamyoung closed 12 years ago

jasonadamyoung commented 13 years ago

For any attribute that will take html (description, location, recording) - we need to sanitize and scrub the html the best we can. For other fields, we need to strip the html out.

jasonadamyoung commented 12 years ago

Related to #10

jasonadamyoung commented 12 years ago

We need to have some decision on what html we should or shouldn't accept. Which is probably related to any wysiwyg chosen for description.

jasonadamyoung commented 12 years ago

The only attribute that was addressed is description, which is the only one getting marked as html_safe in the view. A similar process is needed if Learner profile elements are allowed to be html.

The process chosen was to create valid html via nokogiri, scrub with Loofah, and then sanitize with the rails sanitize helpers.

Rails default sanitize will allow:


=> #<Set: {"strong", "em", "b", "i", "p", "code", "pre", "tt", "samp", "kbd", "var", "sub", "sup", "dfn", "cite", "big", "small", "address", "hr", "br", "div", "span", "h1", "h2", "h3", "h4", "h5", "h6", "ul", "ol", "li", "dl", "dt", "dd", "abbr", "acronym", "a", "img", "blockquote", "del", "ins"}>

> > ActionView::Base.sanitized_allowed_attributes
> > => #<Set: {"href", "src", "width", "height", "alt", "cite", "datetime", "title", "class", "name", "xml:lang", "abbr"}>
> > 
> > ```
> > ```
jasonadamyoung commented 12 years ago

clearing decision needed and closing for mememas.