Im uses jQuery Markitup to allow users to enter html ... So they can enter things like:
<h1>Foo</h1>
<p>Foobar</p>
However, I looked at http://railscasts.com/episodes/204-xss-protection-in-rails-3 and decided to try this piece of code in the input:
<script>alert('test');</script>
To my surprise, when I submitted the form and refreshed the page, a warning window appeared. This is a security risk!
This is what I have in my opinion:
<div><%= comment.description.html_safe %></div>
The above displays any html, but is also subject to xss. So I tried:
<div><%= html_safe(comment.description).html_safe %></div>
But the above does not display any html. It actually displays html as text , which is not the desired behavior.
I need to display html and at the same time protect myself from xss. How should I do it?