John Topley’s Weblog

Rails Tip #12: Easy HTML Input Validation

Not really a Rails-specific tip this one, more of a Ruby tip presented in a Rails’ context. Let’s imagine that your application accepts user input and you’re using HTML whitelisting to allow through a limited number of HTML elements, such as <a>, <strong>, <em> etc. This is fine, but you’ll also want to ensure that the user can’t enter badly-formed markup because that can seriously affect the rest of your page. Somehow you need to check that any markup entered is well-formed and inform the user if it isn’t.

It turns out this is easy to do using Ruby’s REXML module, which performs XML processing. For example, to validate a field named lyrics in a Track ActiveRecord model, you could add the following to the Track model class:

protected
def validate
  begin
    REXML::Document.new("<lyrics>#{self.lyrics}</lyrics>")
  rescue REXML::ParseException => exception
    errors.add(:lyrics, 'are not valid HTML.')
  end
end

—Note that the <lyrics> element in the REXML::Document constructor can be anything you like because it’s just there to provide a bit of an XML structure around the user’s input. Sending the message message to the rescued exception object will return more detailed information about why the parsing failed if you require that.

Comments

There aren’t any comments on this post. Comments are closed.


Archives

  • Jan
  • Feb
  • Mar
  • Apr
  • May
  • Jun
  • Jul
  • Aug
  • Sep
  • Oct
  • Nov
  • Dec
  • 2017
  • 2016
  • 2015
  • 2014
  • 2013
  • 2012

More Archives


Sign In