librelist archives

« back to archive

loofah-activerecord and ampersand

loofah-activerecord and ampersand

From:
Mark Nadig
Date:
2011-09-01 @ 22:11
Hi,

I am using loofah-activerecord 1.0.0 w/ loofah 1.2.0 and
Loofah::XssFoliate.xss_foliate_all_models. It has been invaluable in
scrubbing inputs ­ fast. However, I found snag today where the user entered
a project name "Cookies & Cream" and the result from being scrubbed in
"Cookies & Cream". Google foo results are not showing a way to not
escape. How can I configure loofah to not scrub that? Any help appreciated.

Mark Nadig

Re: [loofah] loofah-activerecord and ampersand

From:
Mike Dalessio
Date:
2011-09-06 @ 13:10
Hello!

On Thu, Sep 1, 2011 at 6:11 PM, Mark Nadig <mark@nadigs.net> wrote:

> Hi,
>
> I am using loofah-activerecord 1.0.0 w/ loofah 1.2.0 and
>  Loofah::XssFoliate.xss_foliate_all_models. It has been invaluable in
> scrubbing inputs – fast. However, I found snag today where the user entered
> a project name "Cookies & Cream" and the result from being scrubbed in
> "Cookies & Cream". Google foo results are not showing a way to not
> escape. How can I configure loofah to not scrub that? Any help appreciated.
>

Thanks for asking this question. We've currently got an open issue
discussing the broader issue here:

https://github.com/flavorjones/loofah/issues/20#issuecomment-1751538

The broader issue being that a bare ampersand is not valid HTML, and Loofah
always ensures you've got valid HTML. Jump on the issue with feedback and
ideas, please. I'm planning on addressing this, somehow, for the next point
release.


>
> Mark Nadig
>