The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend Action View making them callable within your template files.

Instance Public methods
sanitize(html, options = {})

Sanitizes HTML input, stripping all tags and attributes that aren't whitelisted.

It also strips href/src attributes with unsafe protocols like javascript:, while also protecting against attempts to use Unicode, ASCII, and hex character references to work around these protocol filters.

The default sanitizer is Rails::Html::WhiteListSanitizer. See Rails HTML Sanitizers for more information.

Custom sanitization rules can also be provided.

Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid or even well-formed. For example, the output may still contain unescaped characters like <, >, or &.


  • :tags - An array of allowed tags.

  • :attributes - An array of allowed attributes.

  • :scrubber - A Rails::Html scrubber or Loofah::Scrubber object that defines custom sanitization rules. A custom scrubber takes precedence over custom tags and attributes.


Normal use:

<%= sanitize @comment.body %>

Providing custom whitelisted tags and attributes:

<%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>

Providing a custom Rails::Html scrubber:

class CommentScrubber < Rails::Html::PermitScrubber
  def allowed_node?(node)
    !%w(form script comment blockquote).include?(

  def skip_node?(node)

  def scrub_attribute?(name)
    name == 'style'

<%= sanitize @comment.body, scrubber: %>

See Rails HTML Sanitizer for documentation about Rails::Html scrubbers.

Providing a custom Loofah::Scrubber:

scrubber = do |node|
  node.remove if == 'script'

<%= sanitize @comment.body, scrubber: scrubber %>

See Loofah’s documentation for more information about defining custom Loofah::Scrubber objects.

To set the default allowed tags or attributes across your application:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
config.action_view.sanitized_allowed_attributes = ['href', 'title']
# File actionview/lib/action_view/helpers/sanitize_helper.rb, line 83
def sanitize(html, options = {})
  self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)

Sanitizes a block of CSS code. Used by sanitize when it comes across a style attribute.

# File actionview/lib/action_view/helpers/sanitize_helper.rb, line 88
def sanitize_css(style)

Strips all link tags from html leaving just the link text.

strip_links('<a href="">Ruby on Rails</a>')
# => Ruby on Rails

strip_links('Please e-mail me at <a href=""></a>.')
# => Please e-mail me at

strip_links('Blog: <a href="" class="nav" target=\"_blank\">Visit</a>.')
# => Blog: Visit.

Strips all HTML tags from html, including comments.

strip_tags("Strip <i>these</i> tags!")
# => Strip these tags!

strip_tags("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
# => Bold no more!  See more here...

strip_tags("<div id='top-bar'>Welcome to my website!</div>")
# => Welcome to my website!
# File actionview/lib/action_view/helpers/sanitize_helper.rb, line 102
def strip_tags(html)
  self.class.full_sanitizer.sanitize(html, encode_special_chars: false)