Rails 'raw' helper

Is it safe to use the 'raw' helper in a Rails app that may have many users?

I will be integrating TinyMCE with my app, for users to add HTML content to some form of post. Is it a security issue to use 'raw' to display their content?

Or is there a more proper way of doing thing开发者_如何学Pythons?

Thanks!

From the fine manual:

This method outputs without escaping a string. [...] This is not recommended if the data is coming from the user’s input.

So, yes, using raw can be bit of a security issue (for your users) unless you properly sanitize the HTML that comes in.

You shouldn't trust the client. Even if you've set up TinyMCE with a limited set of tags, you have no guarantee that the HTML that your server receives actually came from TinyMCE or that someone hasn't worked around TinyMCE in some way.

If you're accepting HTML from users, then you need to whitelist both the tags and attributes before you store it.

You can use Nokogiri to parse the incoming HTML tag by tag, if a tag is on your whitelist then let it through, if you aren't explicitly allowing that tag (i.e. it isn't on your whitelist) then throw it away. And, you'll want to check the attributes on the tags you let through so that only attributes and attribute values that you want get through. Any tags, attributes, or attribute values that aren't on your whitelists get thrown away. Once you've scrubbed the incoming HTML, you can store it and safely present it to your user's using the raw helper.

This added complexity is one reason that a lot of sites use Markdown, BB-Code, or some other markup language that generates HTML.