How to sanitize user generated html code in ruby on rails

I am storing user generated html code in the database, but some of the codes are broken (without end tags), so when this code will 开发者_运维百科mess up the whole render of the page.

How could I prevent this sort of behaviour with ruby on rails.

Thanks

It's not too hard to do this with a proper HTML parser like Nokogiri which can perform clean-up as part of the processing method:

bad_html = '<div><p><strong>bad</p>'

puts Nokogiri.fragment(bad_html).to_s
# <div><p><strong>bad</strong></p></div>

Once parsed properly, you should have fully balanced tags.

My google-fu reveals surprisingly few hits, but here is the top one :)

Valid Well-formed HTML

Try using the h() escape function in your erb templates to sanitize. That should do the trick

Check out Loofah, an HTML sanitization library based on Nokogiri. This will also remove potentially unsafe HTML that could inject malicious script or embed objects on the page. You should also scrub out style blocks, which might mess up the markup on the page.