Closed jasonadamyoung closed 12 years ago
Related to #10
We need to have some decision on what html we should or shouldn't accept. Which is probably related to any wysiwyg chosen for description.
The only attribute that was addressed is description, which is the only one getting marked as html_safe in the view. A similar process is needed if Learner profile elements are allowed to be html.
The process chosen was to create valid html via nokogiri, scrub with Loofah, and then sanitize with the rails sanitize helpers.
Rails default sanitize will allow:
=> #<Set: {"strong", "em", "b", "i", "p", "code", "pre", "tt", "samp", "kbd", "var", "sub", "sup", "dfn", "cite", "big", "small", "address", "hr", "br", "div", "span", "h1", "h2", "h3", "h4", "h5", "h6", "ul", "ol", "li", "dl", "dt", "dd", "abbr", "acronym", "a", "img", "blockquote", "del", "ins"}>
> > ActionView::Base.sanitized_allowed_attributes
> > => #<Set: {"href", "src", "width", "height", "alt", "cite", "datetime", "title", "class", "name", "xml:lang", "abbr"}>
> >
> > ```
> > ```
clearing decision needed and closing for mememas.
For any attribute that will take html (description, location, recording) - we need to sanitize and scrub the html the best we can. For other fields, we need to strip the html out.