I am using FCKEditor in my Ruby on Rails Application. Users add blog posts using FCKEditor.
Then I display blog posts using
@blog.body.html_safe
I know FCKEditor is escaping any javascript code but what if a user posted a request with direct parameters and setting blog post body including some javascripts. This may be security Vulnerability.
Any idea how can I used FCKEditor with Rails safe?
We can use white list HTML sanitizer to escape all tags except some formatting tags.
Sanitize