I like the idea of sanitizing attributes before they ever hit the database. Now the app assumes data coming from the database has been sanitized of nasty XSS attack vectors, etc. So you'll see things like this in the view:
<%= raw(@comment.body_rendered) %>
One problem is that to support markdown quotes, the markdown processor expects ">" symbols instead of escaped ampersand gt; .
So I'm putting the ">" symbols back in sanitizer.rb. Is this dangerous? Other thoughts?
I've pushed an update that centralizes the sanitization code into a new model: https://github.com/phezco/phez/blob/master/app/models/sanitizer.rb
I like the idea of sanitizing attributes before they ever hit the database. Now the app assumes data coming from the database has been sanitized of nasty XSS attack vectors, etc. So you'll see things like this in the view:
One problem is that to support markdown quotes, the markdown processor expects ">" symbols instead of escaped ampersand gt; .
So I'm putting the ">" symbols back in sanitizer.rb. Is this dangerous? Other thoughts?