Module: Shamu::Attributes::HtmlSanitation

Extended by:

ActiveSupport::Concern

Included in:

Entities::HtmlSanitation

Defined in:

lib/shamu/attributes/html_sanitation.rb

Overview

Adds an HTML sanitation option to attributes. When present, string values will be sanitized when the attribute is read.

The raw unfiltered value is always available as #{ attribute }_raw.

Defined Under Namespace

Classes: BodyScrubber, NoneScrubber, PermitScrubber, SafeScrubber, SimpleScrubber

Constant Summary

STANDARD_FILTER_METHODS =

The standard HTML sanitation filter methods.

[
  :none,      # Don't allow any HTML
  :simple,    # Allow very simple HTML. See {#simple_html_sanitize}.
  :body,      # Allow subset useful for body copy. See
              #   {#body_html_sanitize}.
  :safe,      # Allow a broad subset of HTML tags and attributes. See
              #   {#safe_html_sanitize}.
  :allow      # Allow all HTML.
].freeze

SIMPLE_TAGS =

Tags safe for simple text.

%w( B I STRONG EM ).freeze

BODY_TAGS =

Tags safe for body text.

%w( B BR CODE DIV EM H2 H3 H4 H5 H6 HR I LI OL P PRE SPAN STRONG U UL ).freeze

UNSAFE_TAGS =

Tags that are not safe.

%w( FORM SCRIPT IFRAME FRAME ).freeze

Class Method Summary

• .attribute(name, *args, **options, &block) ⇒ self

  Define a new attribute for the class.

Instance Method Summary

• #allow_html_sanitize(value) ⇒ String

  Does not perform any sanitization of the value.

• #body_html_sanitize(value) ⇒ String

  Remove all but a limited subset of common tags useful for body copy text.

• #none_html_sanitize(value) ⇒ String

  Remove all HTML from the value.

• #safe_html_sanitize(value) ⇒ String

  Remove all HTML from the value.

• #simple_html_sanitize(value) ⇒ String

  Remove all but the simplest html tags , , , .

Class Method Details

.attribute(name, on: , default: , build: , &block) ⇒ self .attribute(name, build, on: , default: , &block) ⇒ self

Define a new attribute for the class.

Parameters:

• name (Symbol) —

  of the attribute.

• as (Symbol) —

  an alias of the attribute.

• on (Symbol) —

  another method on the class to delegate the attribute to.

• default (Object, #call) —

  value if not set.

• build (Class, #call) —

  method used to build a nested object on assignment of a hash with nested keys.

• serialize (Boolean) —

  true if the attribute should be included in Shamu::Attributes#to_attributes. Default true.

• html (Symbol, #call) —

  sanitation options. Acceptable values are

  • :none strip all HTML. The default.
  • :simple simple formatting suitable for most places. See #simple_html_sanitize for details.
  • :body basic formatting for 'body' text. See #body_html_sanitize for details.
  • :allow permit any HTML tag.
  • Any other symbol is assumed to be a method on the entity that will be called to filter the html.
  • #call anything that responds to #call that takes a single argument of the raw string and returns the sanitized HTML.

Yield Returns:

• the value of the attribute. The result is memoized so the block is only invoked once.

Returns:

• (self)

# File 'lib/shamu/attributes/html_sanitation.rb', line 47

def attribute( name, *args, **options, &block )
  super.tap do
    define_html_sanitized_attribute_reader( name, options[ :html ] ) if options.key?( :html )
  end
end

Instance Method Details

#allow_html_sanitize(value) ⇒ String

Does not perform any sanitization of the value.

Parameters:

• value (String) —

  to sanitize.

Returns:

• (String) —

  the sanitized value.

# File 'lib/shamu/attributes/html_sanitation.rb', line 151

def allow_html_sanitize( value )
  return value unless value.is_a?( String )

  Loofah.fragment( value ).scrub!( :no_follow ).to_s
end

#body_html_sanitize(value) ⇒ String

Remove all but a limited subset of common tags useful for body copy text. See BODY_TAGS.

Parameters:

• value (String) —

  to sanitize.

Returns:

• (String) —

  the sanitized value.

# File 'lib/shamu/attributes/html_sanitation.rb', line 124

def body_html_sanitize( value )
  return value unless value.is_a?( String )

  Loofah.fragment( value ).scrub!( BodyScrubber.new ).to_s
end

#none_html_sanitize(value) ⇒ String

Remove all HTML from the value.

Parameters:

• value (String) —

  to sanitize.

Returns:

• (String) —

  the sanitized value.

# File 'lib/shamu/attributes/html_sanitation.rb', line 99

def none_html_sanitize( value )
  return value unless value.is_a?( String )

  Loofah.fragment( value ).scrub!( NoneScrubber.new ).to_s
end

#safe_html_sanitize(value) ⇒ String

Remove all HTML from the value.

Parameters:

• value (String) —

  to sanitize.

Returns:

• (String) —

  the sanitized value.

# File 'lib/shamu/attributes/html_sanitation.rb', line 136

def safe_html_sanitize( value )
  return value unless value.is_a?( String )

  Loofah.fragment( value )
        .scrub!( SafeScrubber.new )
        .scrub!( :no_follow )
        .to_s
end

#simple_html_sanitize(value) ⇒ String

Remove all but the simplest html tags , , , .

Parameters:

• value (String) —

  to sanitize.

Returns:

• (String) —

  the sanitized value.

# File 'lib/shamu/attributes/html_sanitation.rb', line 111

def simple_html_sanitize( value )
  return value unless value.is_a?( String )

  Loofah.fragment( value ).scrub!( SimpleScrubber.new ).to_s
end