Use a better HTML sanitizer that makes sure the HTML is well formed and

can add rel="nofollow" to links.

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 7a4953f0ffdf79c835efb6c428474101f1f75178..2ed50216ff257d22ed58ed50a0b7eb3cd1c3bac7 100644 (file)
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -1,6 +1,10 @@
 module ApplicationHelper
   require 'rexml/document'
 
+  def sanitize(text)
+    Sanitize.clean(text, Sanitize::Config::OSM)
+  end
+
   def htmlize(text)
     return linkify(sanitize(simple_format(text)))
   end

diff --git a/config/environment.rb b/config/environment.rb
index ba5241a21fc47a1d3a03c60a9fcab341585e5dac..539af83b2971842a09296fe6456493c4c79e3571 100644 (file)
--- a/config/environment.rb
+++ b/config/environment.rb
@@ -53,6 +53,7 @@ Rails::Initializer.run do |config|
   config.gem 'oauth', :version => '>= 0.3.6'
   config.gem 'httpclient'
   config.gem 'SystemTimer', :version => '>= 1.1.3', :lib => 'system_timer'
+  config.gem 'sanitize'
 
   # Only load the plugins named here, in the order given. By default, all plugins
   # in vendor/plugins are loaded in alphabetical order.

diff --git a/config/initializers/sanitize.rb b/config/initializers/sanitize.rb
new file mode 100644 (file)
index 0000000..7360e27
--- /dev/null
+++ b/config/initializers/sanitize.rb
@@ -0,0 +1,3 @@
+Sanitize::Config::OSM = Sanitize::Config::RELAXED.dup
+
+Sanitize::Config::OSM[:add_attributes] = { 'a' => { 'rel' => 'nofollow' } }