The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend Action View making them callable within your template files.
This sanitize
helper will html encode all tags and strip all
attributes that aren't specifically allowed.
It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out the extensive test suite.
<%= sanitize @article.body %>
You can add or remove tags/attributes if you want to customize it a bit.
See ActionView::Base for full docs on the
available options. You can add tags/attributes for single uses of
sanitize
by passing either the :attributes
or
:tags
options:
Normal Use
<%= sanitize @article.body %>
Custom Use (only the mentioned tags and attributes are allowed, nothing else)
<%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style) %>
Add table tags to the default allowed tags
class Application < Rails::Application config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td' end
Remove tags to the default allowed tags
class Application < Rails::Application config.after_initialize do ActionView::Base.sanitized_allowed_tags.delete 'div' end end
Change allowed default attributes
class Application < Rails::Application config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style' end
Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped '<', '>', '&' characters and confuse browsers.
# File lib/action_view/helpers/sanitize_helper.rb, line 59 def sanitize(html, options = {}) self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe) end
Sanitizes a block of CSS code. Used by sanitize
when it comes
across a style attribute.
# File lib/action_view/helpers/sanitize_helper.rb, line 64 def sanitize_css(style) self.class.white_list_sanitizer.sanitize_css(style) end
Strips all link tags from text
leaving just the link text.
strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>') # => Ruby on Rails strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.') # => Please e-mail me at me@email.com. strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.') # => Blog: Visit.
# File lib/action_view/helpers/sanitize_helper.rb, line 97 def strip_links(html) self.class.link_sanitizer.sanitize(html) end