Working With Rails

Could you describe what you’re trying to achieve and maybe give a more detailed description of your problem?
The readme is pretty clear I think – you can find it here: http://svn.techno-weenie.net/projects/plugins/white_list/README

If you want to whitelist more tags than the ones that Rick whitelists as a default (check out the bottom of http://svn.techno-weenie.net/projects/plugins/white_list/lib/white_list_helper.rb for details), you just call WhiteListHelper.tags.merge %w(...) and replace the stuff in parentheses with the tags you want to add to the whitelist.

I have a textarea like this in one of my forms:
<label class="preField" for="description">Position Description</label>
<%= f.text_area(“description”, :cols => 45, :rows => 15, :maxlength => 4000) %>

I need to use the whitelist plugin for this textarea so that if the user adds any javascript tag here it should be removed. So basically my question is how do I make use of the white list plugin for this textarea ?

You think wrongly of what the whitelist plugin does. It does NOT filter the user INPUT but the OUTPUT. You could of course already write the filtered input to the database, but it’s more common to write the stuff in the database as the user wrote it in the form and then, when you output it, run the whitelist helper on it.

So, in your case, you would put the whitelist call in the templates that actually output the description like this:

<%= white_list @product.description %>

I put @product as the object because I don’t know what model we’re talking about.

HTH

To do it at a app level upon form/data submission, I use a slightly modified version of the whitelist helper and use it as a library..
(most of the code displayed here is taken from some blog I stumbled across at some point)

So then in application_controller.rb

include HtmlFilterHelper

before_filter :sanitize_params

def sanitize_params(params = params)
  params = walk_hash(params) if params
end

def walk_hash(hash)
  hash.keys.each do |key|
    if hash[key].is_a? String
      profile = 0
      if logged_in? 
        profile = current_user.is_hq? ? 100 : current_user.html_profile
      end
      hash[key] = filter_html(hash[key],profile)
    elsif hash[key].is_a? Hash
      hash[key] = walk_hash(hash[key])
    elsif hash[key].is_a? Array
      hash[key] = walk_array(hash[key])
    end
  end
  hash
end

def walk_array(array)
  array.each_with_index do |el,i|
    if el.is_a? String
      profile = 0
      if logged_in? 
        profile = current_user.is_hq? ? 100 : current_user.html_profile
      end
      array[i] = filter_html(el,profile)
    elsif el.is_a? Hash
      array[i] = walk_hash(el)
    elsif el.is_a? Array
      array[i] = walk_array(el)
    end
  end
  array
end

I have tried all possible methods but to no avail. Actually there is the tiny_mce plugin used as well. If I remove that javascript then it is working fine on textarea in edit page. But on the actual page it does not. If I look at the page source I can see the scriptt ag converted perfectly to plain html and even in the database table but it does not somehow appear that way on the screen.

I still don’t understand what your actual problem is …

Why would you want to write sanitized HTML in your database? There’s no real use to it except that you only have to sanitize it once which will save some resources on the long run. On the other hand, if you decide to add tags/attributes to your whitelist, you’ll have to update all records in the database to make sure that the change is persistent. And if you remove tags/attributes from your whitelist, strings that have been sanitized using the outdated configuration will can’t be restored to their original state.

You see: Sanitizing user input (beware: not talking about sanitizing SQL here) is usually a bad idea except if you have very good reasons for it. Filter the output instead.

I finally found a method through which I can apply the white_list plugin for all elements in my project. I followed the link “http://code.google.com/p/sanitizeparams/source/diff?r=7&format=side&path=/trunk/sanitize_params/README”. But the problem is when I add the line config.plugins = [:white_list, :sanitize_params, :all] to my environment.rb i get an error:
./script/../config/../vendor/rails/railties/lib/initializer.rb:195:in `load_plugins’: Cannot find the plugin ‘white_list’! (LoadError) from ./script/../config/../vendor/rails/railties/lib/initializer.rb:193:in `each’ from ./script/../config/../vendor/rails/railties/lib/initializer.rb:193:in `load_plugins’ from ./script/../config/../vendor/rails/railties/lib/initializer.rb:109:in `process’ from ./script/../config/../vendor/rails/railties/lib/initializer.rb:47:in `send’ from ./script/../config/../vendor/rails/railties/lib/initializer.rb:47:in `run’ from ./script/../config/../config/environment.rb:13 from c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `gem_original_require’ from c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `require’ ... 11 levels… from c:/ruby/lib/ruby/site_ruby/1.8/rubygems/custom_require.rb:27:in `require’ from ./script/server:3 from -e:4:in `load’ from -e:4

Pls help. I’m using ruby 1.8.6 and rails 1.2.6.

Why do you have that line in your config? The config.plugins stuff is only needed when you need to specify a certain order for your plugins … Just leave this line out and have them included in alphabetical order.

PS: The error’s there because you probably haven’t moved your plugin to the correct directory (vendor/plugins/white_list).