Comments on: Rails XSS Filter http://www.stubbleblog.com/index.php/2007/06/rails-xss-filte/ A curious nerd. Tue, 24 Jan 2012 19:31:41 +0000 hourly 1 http://wordpress.org/?v=3.2.1 By: Tony Stubblebine http://www.stubbleblog.com/index.php/2007/06/rails-xss-filte/comment-page-1/#comment-1326 Tony Stubblebine Wed, 12 Dec 2007 00:03:13 +0000 http://www.stubbleblog.com/wp/?p=184#comment-1326 We took some feedback and some help from Jodi (above) and packed this into a Rails plugin: http://code.google.com/p/sanitizeparams/ We took some feedback and some help from Jodi (above) and packed this into a Rails plugin:
http://code.google.com/p/sanitizeparams/

]]> By: Matthew http://www.stubbleblog.com/index.php/2007/06/rails-xss-filte/comment-page-1/#comment-1308 Matthew Mon, 10 Dec 2007 12:07:45 +0000 http://www.stubbleblog.com/wp/?p=184#comment-1308 Hi, we found that if we changed the call to sanitize params to this: walk_hash(params) It will not report deprecation warnings for rails 1.2.6 (2.0.1 testing for white_list is coming soon) Hope it helps some other folks. Hi, we found that if we changed the call to sanitize params to this:

walk_hash(params)

It will not report deprecation warnings for rails 1.2.6 (2.0.1 testing for white_list is coming soon)

Hope it helps some other folks.

]]> By: Jodi http://www.stubbleblog.com/index.php/2007/06/rails-xss-filte/comment-page-1/#comment-449 Jodi Fri, 02 Nov 2007 14:53:45 +0000 http://www.stubbleblog.com/wp/?p=184#comment-449 Thanx - I've been looking for a pre-emptive approach - this takes that approach I wonder how the above will feel about uploads? I guess I'll find out. cheers, Jodi Thanx – I’ve been looking for a pre-emptive approach – this takes that approach

I wonder how the above will feel about uploads? I guess I’ll find out.

cheers,
Jodi

]]> By: ~J http://www.stubbleblog.com/index.php/2007/06/rails-xss-filte/comment-page-1/#comment-84 ~J Mon, 03 Sep 2007 19:42:50 +0000 http://www.stubbleblog.com/wp/?p=184#comment-84 Good work, I think applying white_list to params is a big improvement on having to remember to add white_list every time you render some user submitted field in the view. (This seems to be the 'rails way' but it seems stupid to increase the load on the server by sanitizing the same text over and over again every time a page is viewed) But that said I'm not sure why you are doing this to the controller rather than adding it as a validation in the model. Good work,

I think applying white_list to params is a big improvement on having to remember to add white_list every time you render some user submitted field in the view. (This seems to be the ‘rails way’ but it seems stupid to increase the load on the server by sanitizing the same text over and over again every time a page is viewed)

But that said I’m not sure why you are doing this to the controller rather than adding it as a validation in the model.

]]>