Re: [loofah] loofah-activerecord and ampersand
- From:
- Mike Dalessio
- Date:
- 2011-09-06 @ 13:10
Hello!
On Thu, Sep 1, 2011 at 6:11 PM, Mark Nadig <mark@nadigs.net> wrote:
> Hi,
>
> I am using loofah-activerecord 1.0.0 w/ loofah 1.2.0 and
> Loofah::XssFoliate.xss_foliate_all_models. It has been invaluable in
> scrubbing inputs – fast. However, I found snag today where the user entered
> a project name "Cookies & Cream" and the result from being scrubbed in
> "Cookies & Cream". Google foo results are not showing a way to not
> escape. How can I configure loofah to not scrub that? Any help appreciated.
>
Thanks for asking this question. We've currently got an open issue
discussing the broader issue here:
https://github.com/flavorjones/loofah/issues/20#issuecomment-1751538
The broader issue being that a bare ampersand is not valid HTML, and Loofah
always ensures you've got valid HTML. Jump on the issue with feedback and
ideas, please. I'm planning on addressing this, somehow, for the next point
release.
>
> Mark Nadig
>