ActionView::Helpers::SanitizeHelper
module ActionView::Helpers::SanitizeHelper
The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend Action View making them callable within your template files.
Public Instance Methods
Sanitizes HTML input, stripping all tags and attributes that aren't whitelisted.
It also strips href/src attributes with unsafe protocols like javascript:
, while also protecting against attempts to use Unicode, ASCII, and hex character references to work around these protocol filters.
The default sanitizer is Rails::Html::WhiteListSanitizer. See Rails HTML Sanitizers for more information.
Custom sanitization rules can also be provided.
Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid or even well-formed. For example, the output may still contain unescaped characters like <
, >
, or &
.
Options
-
:tags
- An array of allowed tags. -
:attributes
- An array of allowed attributes. -
:scrubber
- A Rails::Html scrubber or Loofah::Scrubber object that defines custom sanitization rules. A custom scrubber takes precedence over custom tags and attributes.
Examples
Normal use:
<%= sanitize @comment.body %>
Providing custom whitelisted tags and attributes:
<%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
Providing a custom Rails::Html scrubber:
class CommentScrubber < Rails::Html::PermitScrubber def allowed_node?(node) !%w(form script comment blockquote).include?(node.name) end def skip_node?(node) node.text? end def scrub_attribute?(name) name == 'style' end end <%= sanitize @comment.body, scrubber: CommentScrubber.new %>
See Rails HTML Sanitizer for documentation about Rails::Html scrubbers.
Providing a custom Loofah::Scrubber:
scrubber = Loofah::Scrubber.new do |node| node.remove if node.name == 'script' end <%= sanitize @comment.body, scrubber: scrubber %>
See Loofah’s documentation for more information about defining custom Loofah::Scrubber objects.
To set the default allowed tags or attributes across your application:
# In config/application.rb config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a'] config.action_view.sanitized_allowed_attributes = ['href', 'title']
# File actionview/lib/action_view/helpers/sanitize_helper.rb, line 82 def sanitize(html, options = {}) self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe) end
Sanitizes a block of CSS code. Used by sanitize
when it comes across a style attribute.
# File actionview/lib/action_view/helpers/sanitize_helper.rb, line 87 def sanitize_css(style) self.class.white_list_sanitizer.sanitize_css(style) end
Strips all link tags from html
leaving just the link text.
strip_links('<a href="http://www.rubyonrails.org" rel="external nofollow" target="_blank" >Ruby on Rails</a>') # => Ruby on Rails strip_links('Please e-mail me at <a href="rails_5_0-actionview-helpers-mailto:me@email-com.html?lang=en">me@email.com</a>.') # => Please e-mail me at me@email.com. strip_links('Blog: <a href="http://www.myblog.com/" rel="external nofollow" target="_blank" class="nav" target=\"_blank\">Visit</a>.') # => Blog: Visit.
# File actionview/lib/action_view/helpers/sanitize_helper.rb, line 115 def strip_links(html) self.class.link_sanitizer.sanitize(html) end
Strips all HTML tags from html
, including comments.
strip_tags("Strip <i>these</i> tags!") # => Strip these tags! strip_tags("<b>Bold</b> no more! <a href='more.html'>See more here</a>...") # => Bold no more! See more here... strip_tags("<div id='top-bar'>Welcome to my website!</div>") # => Welcome to my website!
# File actionview/lib/action_view/helpers/sanitize_helper.rb, line 101 def strip_tags(html) self.class.full_sanitizer.sanitize(html, encode_special_chars: false) end
© 2004–2017 David Heinemeier Hansson
Licensed under the MIT License.