I have a rails project in which we need to offer some of our customers the ability create their own page, but allow them to use some of our pre-made partials (.html.erb).
I have been able to securely offer select partials using the liquid gem, however this doesn't prevent a customer from directly using ERb tags when they design their page, as when I run Liquid::Template.parse(raw_html_with_erb).render, the ERb tags still get interpolated.
Example Customer Input:
<html>
<head>
<%= render partial: "shared/html_head" %> // this should get stripped
{{ page.html_head }} // this would stay and be given to liquid
</head>
<body>
<h1>H1 tag should stay</h1>
<p>p tags too</p>
<%= render partial: "shared/nav" %> // remove this erb
{{ page.nav }} // also stays and renders with liquid
<%= secret_stuff %> // definitely do not want this to show
</body>
</html>
Example output:
<html>
<head>
{{ page.html_head }}
</head>
<body>
<h1>H1 tag should stay</h1>
<p>p tags too</p>
{{ page.nav }}
</body>
</html>
It appears that rails sanitize(html, options = {}) method accomplishes what I'm looking for, but strips more than just erb tags.
Aucun commentaire:
Enregistrer un commentaire