Sanitize plaintext with Loofah gem. This is necessary because Loofah, unlike Sanitize, can be told not to escape HTML entities in the sanitized text. This is necessary to sanitize URLs entered by the user, otherwise & characters get converted to & and the URL is broken. However when told not to HTML-escape entities, Loofah also unescapes any escaped entities that were present in the input text. This means that a malicious user can still e.g. inject scripts by HTML-encoding the special < and > chars. To avoid this type of attacks, we sanitize the text with Loofah several times, until either we lose our patience (at which point we return an empty string, admitting we cannot sanitize the input text) or the text doesn't change after sanitizing it with Loofah. Once sanitization doesn't change the text, it is safe to return.
↧
Sanitize plaintext with Loofah gem.
↧