Ruby On Rails : Why do we need to html_safe string? : Why html tags not rendered?

What is html_safe? Why use that? Read this

Lets say, you have a feature in your application such that you have a text-area (Integrated with text-editor plugin) in your form and use can write markups. These markups are supposed to be rendered in the view as HTML Tags (Just like they appeared in TextEditor like CKEditor). Suppose you write Continue reading

Rails : XSS (Cross Site Scripting) : Sanitize your data from harmful HTML tags : , , etc

Do you know what XSS is?

One if the most widespread, an devastating security vulnerabilities in web applications is XSS. This malicious attack injects client-side executable code into HTML document via the data-stored via HTML forms. Rails provides helper methods to fend these attacks off.

Any <script> tag in the user-input data may lead to cookie-theft. So use the following configuration to avoid such vulnerabilities.

class Application < Rails::Application
  config.action_view.sanitized_allowed_tags = %w(del dd h3 address big sub tt a ul h4 cite dfn h5 small kbd code b ins img h6 sup pre strong blockquote acronym dt br p samp li ol var em div h1 i abbr h2 span hr)
  config.action_view.sanitized_allowed_attributes = %w(name href style cite class title src xml:lang height datetime alt abbr width)

How to use?

= sanitize comment.message.gsub("\n", '<br>').html_safe