Web Issues | 141
Whitelisting
Instead, whitelisting is a good option. Rick Olson has created a whitelisting plugin,
white_list (http://svn.techno-weenie.net/projects/plugins/white_list/), that is the pre-
ferred method for preventing cross-site scripting attacks. It is based on a more sound
philosophy (only allowing that which is explicitly allowed), and it has more exten-
sive tests than the Rails blacklisting helpers. The basic helper usage is very similar to
the other sanitizing methods; after installing the plugin, the whitelisting filter can be
applied as follows:
<%= white_list @post.body %>
The white_list plugin has a default set of tags, attributes, and URI schemes that are
allowed, and by default the