Posted almost 7 years ago. Visible to the public. Repeats.

simple_format does not escape HTML tags

simple_format ignores Rails' XSS protection. Even when called with an unsafe string, HTML characters will not be escaped or stripped!

Instead simple_format has a whitelist of tags it allows. These are:

ActionView::Base.sanitized_allowed_tags => #<Set: {"small", "dfn", "sup", "sub", "pre", "blockquote", "ins", "ul", "var", "samp", "del", "h6", "h5", "h4", "h3", "h2", "h1", "span", "br", "hr", "em", "address", "img", "kbd", "tt", "a", "acronym", "abbr", "code", "p", "i", "b", "strong", "dd", "dt", "dl", "ol", "li", "div", "big", "cite"}>

If you don't want user input with markup to appear as HTML, you need to escape yourself:


If you care only about formatting line breaks, consider using a custom method.

Growing Rails Applications in Practice
Check out our new e-book:
Learn to structure large Ruby on Rails codebases with the tools you already know and love.

Owner of this card:

Last edit:
over 1 year ago
by Arne Hartherz
About this deck:
We are makandra and do test-driven, agile Ruby on Rails software development.
License for source code
Posted by minh to makandra dev
This website uses cookies to improve usability and analyze traffic.
Accept or learn more