Sanitizing User Input with Ruby on Rails

Posted by phreakre on Stack Overflow See other posts from Stack Overflow or by phreakre
Published on 2010-05-21T14:48:26Z Indexed on 2010/05/21 14:50 UTC
Read the original article Hit count: 178

Filed under:

ruby-on-rails

I'm writing a very simple CRUD app that takes user stories and stores them into a database so another fellow coder can organize them for a project we're both working on. However, I have come across a problem with sanitizing user input before it is saved into the database. I cannot call the sanitize() function from within the Story model to strip out all of the html/scripting. It requires me to do the following:

def sanitize_inputs
  self.name =  ActionController::Base.helpers.sanitize(self.name) unless self.name.nil?
  self.story = ActionController::Base.helpers.sanitize(self.story) unless self.story.nil?
end

I want to validate that the user input has been sanitized and I am unsure of two things: 1) When should the user input validation take place? Before the data is saved is pretty obvious, I think, however, should I be processing this stuff in the Controller, before validation, or some other non-obvious area before I validate that the user input has no scripting/html tags? 2) Writing a unit test for this model, how would I verify that the scripting/html is removed besides comparing "This is a malicious code example" to the sanitize(example) output?

Thanks in advance.

Related posts about ruby-on-rails

Ruby on Rails - How can I start? [closed]

as seen on Programmers - Search for 'Programmers'
I have misconception in understanding the relationship between Ruby language and Ruby on Rails Framework. Because of 'I am an absolute beginner' in web development I have no idea if I have to grasp the fundamentals of Ruby before I go with Ruby on Rails! I also want to ask who is behind both Ruby… >>> More
DES3 decryption in Ruby on Rails

as seen on Stack Overflow - Search for 'Stack Overflow'
My RoR server receives a string, that was encrypted in C++ application using des3 with base64 encoding The cipher object is created so: cipher = OpenSSL::Cipher::Cipher::new("des3") cipher.key = key_str cipher.iv = iv_str key_str and iv_str: are string representations of key and initialization… >>> More
Ruby on rails: Image downloads with Authentication/Authorization/Time outs

as seen on Stack Overflow - Search for 'Stack Overflow'
Hi Guys, I'm having few doubts on implementing file downloads. I'm creating an app where I use attachment_fu with Amazon s3 to upload files. Things are working pretty well so far on uploading side. Now its the time to start the file downloads. Here is what I need, a logged in user search and browse… >>> More
Ruby on Rails deployment, on "thin" server with lot of attachments

as seen on Stack Overflow - Search for 'Stack Overflow'
A lot of PDFs are stored inside MySQL as a BLOB field for each PDF file. The average file size is 500K each. The Rails app will stream the :binary data as file downloads, where there is a user click on the download link. Assume there is a maximum of 5 users downloading 5 PDFs concurrently, what… >>> More
Apply Behavior Driven Development to Ruby on Rails with Rspec

as seen on Internet.com - Search for 'Internet.com'
Applying the Behavior Driven Development (BDD) methodology to your Rails development takes you beyond traditional Test Driven Development. Learn how to do it with the Ruby-based BDD framework RSpec. >>> More

Developer IT