The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend ActionView making them callable within your template files.
This sanitize helper will html encode all tags and strip all attributes that aren’t specifically allowed. It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out the extensive test suite.
<%= sanitize @article.body %>
You can add or remove tags/attributes if you want to customize it a bit. See ActionView::Base for full docs on the available options. You can add tags/attributes for single uses of sanitize by passing either the :attributes or :tags options:
Normal Use
<%= sanitize @article.body %>
Custom Use (only the mentioned tags and attributes are allowed, nothing else)
<%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style)
Add table tags to the default allowed tags
Rails::Initializer.run do |config| config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td' end
Remove tags to the default allowed tags
Rails::Initializer.run do |config| config.after_initialize do ActionView::Base.sanitized_allowed_tags.delete 'div' end end
Change allowed default attributes
Rails::Initializer.run do |config| config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style' end
Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped ‘<’, ‘>’, ‘&’ characters and confuse browsers.
# File lib/action_view/helpers/sanitize_helper.rb, line 51 def sanitize(html, options = {}) self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe) end
Sanitizes a block of CSS code. Used by sanitize when it comes across a style attribute.
# File lib/action_view/helpers/sanitize_helper.rb, line 56 def sanitize_css(style) self.class.white_list_sanitizer.sanitize_css(style) end
Strips all link tags from text leaving just the link text.
strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>') # => Ruby on Rails strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.') # => Please e-mail me at me@email.com. strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.') # => Blog: Visit
# File lib/action_view/helpers/sanitize_helper.rb, line 89 def strip_links(html) self.class.link_sanitizer.sanitize(html) end
Generated with the Darkfish Rdoc Generator 2.