How to show some HTML entities on title tag using Rails

Question

I'm running Rails 4.2.x and I have the following problem.

The <title> of some pages are generated from user content. So I have to use the sanitize Rails helpers to properly clean it up.

But if the user writes something like "A & B", the title shown in browser is A & B which is wrong.

What's the correct way of escaping user content on the <title> tag using Rails? At least some special characters should be included...

`<%= title.html_safe %>` should help. And see http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-strip_tags — devanand, Feb 25 '16 at 11:59
@devanand html_safe marks the user input as safe, whatever it contains... so that's the unsafest approach :-) — rubenfonseca, Feb 25 '16 at 12:19
the link I gave you to read, explains how to make user input more secure! — devanand, Feb 25 '16 at 12:29
@devanand I know how to make the input more secure, and in general, `sanitize` works great when we inject user input in the middle of the HTML. However in this case, the `` tag is sensitive to HTML entities, so I don't want some of them to be escaped. — rubenfonseca, Feb 25 '16 at 12:52
that's what I'd like to tell. use `strip_tags` in that case. or did I misunderstood? — devanand, Feb 26 '16 at 14:56

score 1 · Answer 1 · edited May 23 '17 at 12:15

1

We can use CGi also

title =  "A & B"
=> "A & B"
string = CGI.escapeHTML(title)
=> "A &amp; B" 
string = CGI.unescapeHTML(title)
=> "A & B"

Rails providing so many options to escape

Refer these links:

raw vs. html_safe vs. h to unescape html

How to HTML encode/escape a string? Is there a built-in?

If you want remove tags you can use SanitizeHelper

One more option : WhiteListSanitizer

white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
white_list_sanitizer.sanitize(s, tags: %w())
white_list_sanitizer.sanitize(s, tags: %w(table tr td), attributes: %w(id class style))

You can use Rails::Html::TargetScrubber also

edited May 23 '17 at 12:15

Community

1
1

answered Feb 25 '16 at 11:51

Kanna

990
1
11
30

`CGI.unescapeHTML("")` returns ``, not very safe :-) – rubenfonseca Feb 25 '16 at 12:17
Do you want remove html tags or script tag – Kanna Feb 25 '16 at 12:35
I want to sanitize user input, so I don't be attacked by XSS – rubenfonseca Feb 25 '16 at 12:53
yes, that's what I've described in the question. It works great for injecting user content in the middle of html, but since it escapes html entities, it breaks my `` tag. – rubenfonseca Feb 25 '16 at 12:58
try this string.gsub(/<\/?[^>]*>/, "") – Kanna Feb 25 '16 at 13:17
I was expecting a more standard/proven solution inside Rails in 2016 – rubenfonseca Feb 25 '16 at 13:27
Otherwise try WhiteListSanitizer. – Kanna Feb 25 '16 at 13:36
@WtrKanna did you even try the examples you posted? It still encodes the `&` as `&` – rubenfonseca Feb 25 '16 at 21:04

John McGrath · Answer 2 · 2018-12-06T18:08:05.270

You can both sanitize and convert html entities to proper characters with a combination of sanitize and the htmlentities gem. This works for me in the console:

gem install htmlentities

then...

c = ActionController::Base::ApplicationController.new
dirty_content = "<script>content & tags</script>"
clean_but_with_entities = c.helpers.sanitize(dirty_content)
nice_looking = HTMLEntities.new.decode(clean_but_with_entities.to_str )

You end up with "content & tags". To make this easier to use I put this in application_controller:

helper_method :sanitize_and_decode
def sanitize_and_decode(str)
  helpers.sanitize(str)
  HTMLEntities.new.decode(str.to_str)
end

(to_str is to work around the SafeBuffer issue mentioned here)

How to show some HTML entities on title tag using Rails

2 Answers2

Linked