sanitize

I am using a rich text editor (CKEditor) and I have the opportunity to let users create profiles that are displayed to other users. Many of the attributes CKEditor can control are being lost when I display them as: <%= sanitize(profile.body) %> My question is: is it safe to allow the attribute 'style' to be parsed? This would allow things like text color, size, background color, centering, indenting, etc. to be displayed. I just want to be sure it won't allow a hacker access to something I don't know about! is it safe to allow the attribute 'style' to be parsed? No. background-image: url

I have a controller that has an assigned value: $scope.post = 'please visit http://stackoverflow.com quickly'; I have some text in my html: <p>{{post}}</p> I would like to make a clickable link of the url (surround it with anchor tags). I tried to change my html to: <p ng-bind-html="post | createAnchors"></p> Here is a simplified example of the problem: http://jsfiddle.net/T3fFt/4/ The question is, how can I escape the whole post text, except for the link, which will be surrounded by anchor tags? ? I think you can use Angular's linky filter for this: https://docs.angularjs.org/api/ngSanitize

I have to sanitize a part of sql query. I can do something like this: class << ActiveRecord::Base public :sanitize_sql end str = ActiveRecord::Base.sanitize_sql(["AND column1 = ?", "two's"], '') But it is not safe because I expose protected method. What is a better way to do it? HashDog Team You can just use: ActiveRecord::Base::sanitize(string) dimus ActiveRecord::Base.connection.quote does the trick in Rails 3.x Bryan Dimas This question does not specify that the answer has to come from ActiveRecord nor does it specify for which version of Rails it should be. For that reason (and because it

As I prepare to tackle the issue of input data filtering and sanitization, I'm curious whether there's a best (or most used) practice? Is it better to filter/sanitize the data (of HTML, JavaScript, etc.) before inserting the data into the database, or should it be done when the data is being prepared for display in HTML? A few notes: I'm doing this in PHP, but I suspect the answer to this is language agnostic. But if you have any recommendations specific to PHP, please share! This is not an issue of escaping the data for database insertion. I already have PDO handling that quite well. Thanks!

Is it okay to employ a function that sanitizes the incoming inputs due to a form submission or any other request. It is time saving but the question of effectivenss and efficiency still haunts me. For instance, function clearSpecialChars($str) { $str=htmlentities($str); $str=strip_tags($str); $str=mysql_real_escape_string($str); return $str; } so that when I get a form submission I do: $username=clearSpecialChars($_REQUEST['username']); $email=clearSpecialChars($_REQUEST['email']); Fundamentally, I am not desiring any html inputs from the user. each function serves its own purpose, you shouldn