Ruby, How to prevent Redcarpet to render HTML code in the output?

208 Views Asked by fguillen At 23 June 2021 at 11:31

I am using Redcarpet to render in a webpage data introduced by the User.

I see that it is very easy for the User to introduce malicious HTML code.

I am trying different Redcarpet initializer options to prevent any possible malicious code to be renderered in the output but nothing is working:

Trying filter_html:

markdown =
  Redcarpet::Markdown.new(
    Redcarpet::Render::HTML,
    filter_html: true
  )

markdown.render("<style>style</style> <script>alert()</script>")

# => "<p><style>style</style> <script>alert()</script></p>\n"

Trying scape_html:

markdown =
  Redcarpet::Markdown.new(
    Redcarpet::Render::HTML,
    escape_html: true
  )

markdown.render("<style>style</style> <script>alert()</script>")

# => "<p><style>style</style> <script>alert()</script></p>\n"

Original Q&A

There are 1 best solutions below

matt On 23 June 2021 at 13:53 BEST ANSWER

These are options for the renderer, not the parser, so you need to pass them to the renderer, and then pass the configured renderer to the parser, e.g.:

markdown =
  Redcarpet::Markdown.new(
    Redcarpet::Render::HTML.new(escape_html: true),
    # other parser options here, e.g.
    autolink: true
  )

Ruby, How to prevent Redcarpet to render HTML code in the output?

There are 1 best solutions below

Related Questions in RUBY

Related Questions in MARKDOWN

Related Questions in REDCARPET

Trending Questions

Popular # Hahtags

Popular Questions