Class: Html::WhiteListSanitizer

Inherits:

Sanitizer

Object
Sanitizer
Html::WhiteListSanitizer

show all

Defined in:: lib/html/sanitizer/sanitizer.rb

Overview

Html::WhiteListSanitizer

Sanitizes html and css from an extensive white list (see link further down).

Whitespace

We can’t make any guarentees about whitespace being kept or stripped. Loofah uses Nokogiri, which wraps either a C or Java parser for the respective Ruby implementation. Those two parsers determine how whitespace is ultimately handled.

When the stripped markup will be rendered the users browser won’t take whitespace into account anyway. It might be better to suggest your users wrap their whitespace sensitive content in pre tags or that you do so automatically.

Options

Sanitizes both html and css via the white lists found here: github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb

WhiteListSanitizer also accepts options to configure the white list used when sanitizing html. There’s a class level option: Html::WhiteListSanitizer.allowed_tags = %w(table tr td) Html::WhiteListSanitizer.allowed_attributes = %w(id class style)

Tags and attributes can also be passed to sanitize. Passed options take precedence over the class level options.

Examples

white_list_sanitizer = Html::WhiteListSanitizer.new

Sanitize css doesn’t take options white_list_sanitizer.sanitize_css(‘background-color: #000;’)

Default: sanitize via a extensive white list of allowed elements white_list_sanitizer.sanitize(@article.body)

White list via the supplied tags and attributes white_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))

White list via a custom scrubber white_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)

Constant Summary

Constants inherited from Sanitizer

Sanitizer::VERSION

Class Attribute Summary collapse

.allowed_attributes ⇒ Object

Returns the value of attribute allowed_attributes.
.allowed_tags ⇒ Object

Returns the value of attribute allowed_tags.

Instance Method Summary collapse

#initialize ⇒ WhiteListSanitizer constructor

A new instance of WhiteListSanitizer.
#sanitize(html, options = {}) ⇒ Object
#sanitize_css(style_string) ⇒ Object

Methods inherited from Sanitizer

full_sanitizer, link_sanitizer, white_list_sanitizer

Constructor Details

#initialize ⇒ `WhiteListSanitizer`

Returns a new instance of WhiteListSanitizer.



100
101
102

# File 'lib/html/sanitizer/sanitizer.rb', line 100

def initialize
  @permit_scrubber = PermitScrubber.new
end

Class Attribute Details

.allowed_attributes ⇒ `Object`

Returns the value of attribute allowed_attributes.



97
98
99

# File 'lib/html/sanitizer/sanitizer.rb', line 97

def allowed_attributes
  @allowed_attributes
end

.allowed_tags ⇒ `Object`

Returns the value of attribute allowed_tags.



96
97
98

# File 'lib/html/sanitizer/sanitizer.rb', line 96

def allowed_tags
  @allowed_tags
end

Instance Method Details

#sanitize(html, options = {}) ⇒ `Object`

# File 'lib/html/sanitizer/sanitizer.rb', line 104

def sanitize(html, options = {})
  return unless html
  return html if html.empty?

  loofah_fragment = Loofah.fragment(html)

  if scrubber = options[:scrubber]
    # No duck typing, Loofah ensures subclass of Loofah::Scrubber
    loofah_fragment.scrub!(scrubber)
  elsif allowed_tags(options) || allowed_attributes(options)
    @permit_scrubber.tags = allowed_tags(options)
    @permit_scrubber.attributes = allowed_attributes(options)
    loofah_fragment.scrub!(@permit_scrubber)
  else
    remove_xpaths(loofah_fragment, XPATHS_TO_REMOVE)
    loofah_fragment.scrub!(:strip)
  end

  loofah_fragment.to_s
end

#sanitize_css(style_string) ⇒ `Object`



125
126
127

# File 'lib/html/sanitizer/sanitizer.rb', line 125

def sanitize_css(style_string)
  Loofah::HTML5::Scrub.scrub_css(style_string)
end