sanitization

问题 Using Rails, I need to get a plain text and show it as HTML, but I don't want to use <pre> tag, as it changes the format. 回答1: I needed to subclass HTML::WhiteListSanitizer to escape non whitelisted tags (by changing process_node ), monkey patch HTML::Node to don't downcase tags' names and monkey patch HTML::Text to apply <wbr /> word splitting: class Text2HTML def self.convert text text = simple_format text text = auto_link text, :all, :target => '_blank' text = NonHTMLEscaper.sanitize text

问题 I have a problem with contenteditable line breaks on SAFARI/CHROME. When I press "return" on a contentEditable <div> , instead of creating a <br> (like Firefox), they create a new <div> : <div>Something</div> <div>Something</div> That looks like (on the contentEditable DIV): Something Something But after sanitization (removing <div> ), I get this: SomethingSomething In Firefox, the contenteditable is: Something <br> Something And that after sanitization looks the same: Something Something Is

问题 I have a problem with contenteditable line breaks on SAFARI/CHROME. When I press "return" on a contentEditable <div> , instead of creating a <br> (like Firefox), they create a new <div> : <div>Something</div> <div>Something</div> That looks like (on the contentEditable DIV): Something Something But after sanitization (removing <div> ), I get this: SomethingSomething In Firefox, the contenteditable is: Something <br> Something And that after sanitization looks the same: Something Something Is

问题 I have a problem with contenteditable line breaks on SAFARI/CHROME. When I press "return" on a contentEditable <div> , instead of creating a <br> (like Firefox), they create a new <div> : <div>Something</div> <div>Something</div> That looks like (on the contentEditable DIV): Something Something But after sanitization (removing <div> ), I get this: SomethingSomething In Firefox, the contenteditable is: Something <br> Something And that after sanitization looks the same: Something Something Is

问题 I have a website that saves data to a MySQL database Should I escape the HTML upon inserting it into MySQL or upon displaying it on my website? Ideally, I'd like to input raw HTML into my database and just sanitize each time I pull from it. Is there any danger in doing it this way? Example html: <h1>test</h1> 回答1: typically users won't save HTML, but I don't want them to be restricted. Of course that HTML won't be executed. It will just be displayed Should I escape the HTML upon inserting it

问题 Is there any reason this is bad form? The only user input data on the page is // Set username and password from cookies $username = mysql_real_escape_string($_COOKIE["username"]); $password = mysql_real_escape_string($_COOKIE['password']); I am REALLY new to the idea of sanitizing. Is there any reason this is a terrible way of doing things? 回答1: NEVER, EVER store users' data in cookies! Here's what I suggest: store user's ID in cookie generate special token and hash+salt and store them in

问题 To ensure data privacy, I have to publish a list of addresses after removing the street numbers. So, for example: 1600 Amphitheatre Parkway, Mountain View, CA needs to be published as Amphitheatre Parkway, Mountain View, CA What's the best way to do this in Java? Does this require regex? 回答1: EDIT : How about... addressString.replace("^\\s*[0-9]+\\s+",""); or JavaScript... addressString.replace(/^\s*[0-9]+\s+/,''); My original suggestion was (JavaScript)... addressString.replace(/^\s*[0-9]+\s

问题 My AntiSamy file does not seem to like the HTML5 <figure> tag. Its allowing the tag itself to exist, but nothing contained inside it. So this: <figure> <img src="image/path"/> </figure> Is becoming this: <figure> </figure> <img src="image/path"/> How can I stop the antisamy from stripping out the content of the <figure> tag? I want it to allow the <figure> tag and all its attributes and content. 来源： https://stackoverflow.com/questions/32427087/how-to-add-a-html5-tag-to-antisamy-policy-file

问题 I'm working on a PHP MSSQL project that is using the sqlsrv driver. What's the best way to stop SQL injection attacks? I need something like mysql_real_escape_string() but for sqlsrv driver. 回答1: The best way is not to write your SQL so that you need to use an analogue of mysql_real_escape_string() , which you would do by using placeholders for the values and then passing the variables (that would otherwise have been handled by mysql_real_escape_string() ) when you execute the statement or

问题 I am building a new web-app, LAMP environment... I am wondering if preg_match can be trusted for user's input validation (+ prepared stmt, of course) for all the text-based fields (aka not HTML fields; phone, name, surname, etc..). For example, for a classic 'email field', if I check the input like: $email_pattern = "/^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)" . "|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}" . "|[0-9]{1,3})(\]?)$/"; $email = $_POST['email']; if(preg_match($email