Peter Marklund

Peter Marklund's Home
Mon Mar 26 2007 03:20:06 GMT+0000 (Coordinated Universal Time)

Abandoning Textilize for Comment Formating

I've been using the textilize helper for comment formating in this blog. The textilize helper uses the RedCloth gem, which supports both Textile and Markdown syntax and it's pretty complex code with lots of hairy regular expressions. I noticed that the textilize helper will let arbitrary HTML tags through so it can mess up the HTML of a page. Seems like a vulnerability, and it's even more a problem for me since I like to be able to HTML validate my pages. I decided to stop using textilize for comments and instead use the following simpler and tighter formating: 

  # HTML quote, convert line breaks to <br />, and convert URLs to links
  def simple_link_format(text)
    # From http://snippets.dzone.com/posts/show/3654
    url_regex = /(http|https):\/\/[a-z0-9]+([\-\.]{1}[a-z0-9]+)*\.[a-z]{2,5}(([0-9]{1,5})?\/.*)?/ix
    simple_format(h(text).gsub(url_regex, '<a href="\0">\0</a>'))
  end