The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend Action View making them callable within your template files.
This sanitize helper will html encode all tags and strip all attributes that aren’t specifically allowed.
It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out the extensive test suite.
<%= sanitize @article.body %>
You can add or remove tags/attributes if you want to customize it a bit. See ActionView::Base for full docs on the available options. You can add tags/attributes for single uses of sanitize by passing either the :attributes or :tags options:
Normal Use
<%= sanitize @article.body %>
Custom Use (only the mentioned tags and attributes are allowed, nothing else)
<%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style) %>
Add table tags to the default allowed tags
class Application < Rails::Application config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td' end
Remove tags to the default allowed tags
class Application < Rails::Application config.after_initialize do ActionView::Base.sanitized_allowed_tags.delete 'div' end end
Change allowed default attributes
class Application < Rails::Application config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style' end
Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped ‘<’, ‘>’, ‘&’ characters and confuse browsers.
# File lib/action_view/helpers/sanitize_helper.rb, line 60 def sanitize(html, options = {}) self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe) end
Sanitizes a block of CSS code. Used by sanitize when it comes across a style attribute.
# File lib/action_view/helpers/sanitize_helper.rb, line 65 def sanitize_css(style) self.class.white_list_sanitizer.sanitize_css(style) end
Strips all link tags from text leaving just the link text.
strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>') # => Ruby on Rails strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.') # => Please e-mail me at me@email.com. strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.') # => Blog: Visit.
# File lib/action_view/helpers/sanitize_helper.rb, line 98 def strip_links(html) self.class.link_sanitizer.sanitize(html) end
Generated with the Darkfish Rdoc Generator 2.