Module | ActionView::Helpers::SanitizeHelper |
In: |
vendor/rails/actionpack/lib/action_view/helpers/sanitize_helper.rb
|
The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend ActionView making them callable within your template files.
# File vendor/rails/actionpack/lib/action_view/helpers/sanitize_helper.rb, line 9 9: def self.included(base) 10: base.extend(ClassMethods) 11: end
This sanitize helper will html encode all tags and strip all attributes that aren‘t specifically allowed. It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out the extensive test suite.
<%= sanitize @article.body %>
You can add or remove tags/attributes if you want to customize it a bit. See ActionView::Base for full docs on the available options. You can add tags/attributes for single uses of sanitize by passing either the :attributes or :tags options:
Normal Use
<%= sanitize @article.body %>
Custom Use (only the mentioned tags and attributes are allowed, nothing else)
<%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style)
Add table tags to the default allowed tags
Rails::Initializer.run do |config| config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td' end
Remove tags to the default allowed tags
Rails::Initializer.run do |config| config.after_initialize do ActionView::Base.sanitized_allowed_tags.delete 'div' end end
Change allowed default attributes
Rails::Initializer.run do |config| config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style' end
Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped ’<’, ’>’, ’&’ characters and confuse browsers.
# File vendor/rails/actionpack/lib/action_view/helpers/sanitize_helper.rb, line 56 56: def sanitize(html, options = {}) 57: self.class.white_list_sanitizer.sanitize(html, options) 58: end
Strips all link tags from text leaving just the link text.
strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>') # => Ruby on Rails strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.') # => Please e-mail me at me@email.com. strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.') # => Blog: Visit
# File vendor/rails/actionpack/lib/action_view/helpers/sanitize_helper.rb, line 94 94: def strip_links(html) 95: self.class.link_sanitizer.sanitize(html) 96: end
Strips all HTML tags from the html, including comments. This uses the html-scanner tokenizer and so its HTML parsing ability is limited by that of html-scanner.
strip_tags("Strip <i>these</i> tags!") # => Strip these tags! strip_tags("<b>Bold</b> no more! <a href='more.html'>See more here</a>...") # => Bold no more! See more here... strip_tags("<div id='top-bar'>Welcome to my website!</div>") # => Welcome to my website!
# File vendor/rails/actionpack/lib/action_view/helpers/sanitize_helper.rb, line 79 79: def strip_tags(html) 80: self.class.full_sanitizer.sanitize(html) 81: end