7 July 2009

Sanitizing input in Rails

Rails offers the html_escape method (usually shortened to h), which prevents simple attempts at code injection. However, when users are entering content onto a site, there is a very good case for sanitizing the input. After all, if a rogue user is injecting unwanted code into my HTML forms, why would I want to store it in my database? It makes sense to neutralize it before it gets stored.

A couple of years ago Jay Laney wrote a plugin called sanitize_params to do precisely that. It uses Rick Olsen’s white_list plugin to sanitize incoming params before they hit the controller.

Since then, Rick’s plugin has been incorporated into the Rails trunk as the Sanitizer module (the HTML::Sanitizer::WhiteListSanitizer class does more-or-less the same job as the original white_list method in his plugin).

As Rick pointed out some time ago, “the common technique was to mix the helpers directly in to your model and call them directly. However, I recently just refactored a lot of that code into the html tokenizer library. You can now access the classes directly as HTML::Sanitizer, HTML::LinkSanitizer, and HTML::WhiteListSanitizer”.

So, I downloaded the original plugin, amended the code to use HTML::WhiteListSanitizer, installed it into my application and then uploaded it to github.

It seems to work very nicely now.

d. sofer