I currently have a controller capturing some html from TinyMCE on the front panel. If I messed around with firebug, you can send script tags and enter warning messages, etc. To the screen.
edit: I am currently fixing this in the model using the sanitize helper:
require 'action_view' class NotesController < AuthApplicationController include ActionView::Helpers::SanitizeHelper ... def update params[:note][:content] = sanitize(params[:note][:content], :tags => %w(a object p param h1 h2 h3 h4 h5 h6 br hr ul li img), :attributes => %w(href name src type value width height data) ); @note.update_attributes(params[:note])
It seems useless in the controller. Is there a better way? That is, somehow integrate this ActiveRecord so that I can easily specify this for this and other fields before saving, similar to checking?
Thanks for any suggestions.
edit:
Take some steps here.
Under my / my faces
module SanitizeUtilities def sanitize_tiny_mce(field) ActionController::Base.helpers.sanitize(field, :tags => %w(abi strong em p param h1 h2 h3 h4 h5 h6 br hr ul li img), :attributes => %w(href name src type value width height data) ); end end
Then in my models the code collapses to
class MyModel < ActiveRecord::Base include ::SanitizeUtilities ... before_save :sanitize_content ... def sanitize_content self.content = sanitize_tiny_mce(self.content) end end
It seems like it's extra markup without too much fuss.
Pretty new to rails, so nervous that I can do something wrong. Can anyone see potential flaws here?
Thanks again
Chris
source share