开发者

Sanitizing input for display in view when using simple_format

I'm trying to figure out the right way to display comments such that newlines and links are displayed. I know that usually, you should display user-inputs only when escaping html with h(). That of course won't display newlines or links, so I found the 开发者_开发问答simple_format and auto_link methods.

What I am now doing is: simple_format(santize(auto_link(comment.text)))

Is this the right way to do this, and is it still safe from XSS attacks?

Thanks! Eric


Have a look to the last ryanb screencast XSS Protection in Rails 3

Cheers

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜