Class Index [+]

Quicksearch

ActionView::Helpers::SanitizeHelper

The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend Action View making them callable within your template files.

Public Instance Methods

sanitize(html, options = {}) click to toggle source

This sanitize helper will html encode all tags and strip all attributes that aren’t specifically allowed.

It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out the extensive test suite.

  <%= sanitize @article.body %>

You can add or remove tags/attributes if you want to customize it a bit. See ActionView::Base for full docs on the available options. You can add tags/attributes for single uses of sanitize by passing either the :attributes or :tags options:

Normal Use

  <%= sanitize @article.body %>

Custom Use (only the mentioned tags and attributes are allowed, nothing else)

  <%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style) %>

Add table tags to the default allowed tags

  class Application < Rails::Application
    config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
  end

Remove tags to the default allowed tags

  class Application < Rails::Application
    config.after_initialize do
      ActionView::Base.sanitized_allowed_tags.delete 'div'
    end
  end

Change allowed default attributes

  class Application < Rails::Application
    config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
  end

Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped ’<’, ’>’, ’&’ characters and confuse browsers.

    # File lib/action_view/helpers/sanitize_helper.rb, line 60
60:       def sanitize(html, options = {})
61:         self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
62:       end
sanitize_css(style) click to toggle source

Sanitizes a block of CSS code. Used by sanitize when it comes across a style attribute.

    # File lib/action_view/helpers/sanitize_helper.rb, line 65
65:       def sanitize_css(style)
66:         self.class.white_list_sanitizer.sanitize_css(style)
67:       end
strip_tags(html) click to toggle source

Strips all HTML tags from the html, including comments. This uses the html-scanner tokenizer and so its HTML parsing ability is limited by that of html-scanner.

Examples

  strip_tags("Strip <i>these</i> tags!")
  # => Strip these tags!

  strip_tags("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
  # => Bold no more!  See more here...

  strip_tags("<div id='top-bar'>Welcome to my website!</div>")
  # => Welcome to my website!
    # File lib/action_view/helpers/sanitize_helper.rb, line 83
83:       def strip_tags(html)
84:         self.class.full_sanitizer.sanitize(html).try(:html_safe)
85:       end

Disabled; run with --debug to generate this.

[Validate]

Generated with the Darkfish Rdoc Generator 1.1.6.