The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend ActionView making them callable within your template files.
This sanitize helper will html encode all tags and strip all attributes that aren‘t specifically allowed. It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out the extensive test suite.
<%= sanitize @article.body %>
You can add or remove tags/attributes if you want to customize it a bit. See ActionView::Base for full docs on the available options. You can add tags/attributes for single uses of sanitize by passing either the :attributes or :tags options:
Normal Use
<%= sanitize @article.body %>
Custom Use (only the mentioned tags and attributes are allowed, nothing else)
<%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style)
Add table tags to the default allowed tags
Rails::Initializer.run do |config| config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td' end
Remove tags to the default allowed tags
Rails::Initializer.run do |config| config.after_initialize do ActionView::Base.sanitized_allowed_tags.delete 'div' end end
Change allowed default attributes
Rails::Initializer.run do |config| config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style' end
Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped ’<’, ’>’, ’&’ characters and confuse browsers.
[ show source ]
# File actionpack/lib/action_view/helpers/sanitize_helper.rb, line 51 51: def sanitize(html, options = {}) 52: self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe) 53: end
Sanitizes a block of CSS code. Used by sanitize when it comes across a style attribute.
[ show source ]
# File actionpack/lib/action_view/helpers/sanitize_helper.rb, line 56 56: def sanitize_css(style) 57: self.class.white_list_sanitizer.sanitize_css(style) 58: end
Strips all link tags from text leaving just the link text.
Examples
strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>') # => Ruby on Rails strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.') # => Please e-mail me at me@email.com. strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.') # => Blog: Visit
[ show source ]
# File actionpack/lib/action_view/helpers/sanitize_helper.rb, line 89 89: def strip_links(html) 90: self.class.link_sanitizer.sanitize(html) 91: end
Strips all HTML tags from the html, including comments. This uses the html-scanner tokenizer and so its HTML parsing ability is limited by that of html-scanner.
Examples
strip_tags("Strip <i>these</i> tags!") # => Strip these tags! strip_tags("<b>Bold</b> no more! <a href='more.html'>See more here</a>...") # => Bold no more! See more here... strip_tags("<div id='top-bar'>Welcome to my website!</div>") # => Welcome to my website!
[ show source ]
# File actionpack/lib/action_view/helpers/sanitize_helper.rb, line 74 74: def strip_tags(html) 75: self.class.full_sanitizer.sanitize(html).try(:html_safe) 76: end