Posted about 6 years ago. Visible to the public. Repeats.

simple_format does not escape HTML tags

simple_format ignores Rails' XSS protection. Even when called with an unsafe string, HTML characters will not be escaped or stripped!

Instead simple_format has a whitelist of tags it allows. These are:

Copy
ActionView::Base.sanitized_allowed_tags => #<Set: {"small", "dfn", "sup", "sub", "pre", "blockquote", "ins", "ul", "var", "samp", "del", "h6", "h5", "h4", "h3", "h2", "h1", "span", "br", "hr", "em", "address", "img", "kbd", "tt", "a", "acronym", "abbr", "code", "p", "i", "b", "strong", "dd", "dt", "dl", "ol", "li", "div", "big", "cite"}>

If you don't want user input with markup to appear as HTML, you need to escape yourself:

Copy
simple_format(h(user_input))

If you care only about formatting line breaks, consider using a custom method.

By refactoring problematic code and creating automated tests, makandra can vastly improve the maintainability of your Rails application.

Owner of this card:

Avatar
minh
Last edit:
6 months ago
by Arne Hartherz
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by minh to makandra dev
This website uses cookies to improve usability and analyze traffic.
Accept or learn more