Module: Loofah::XssFoliate

Defined in:
lib/loofah-activerecord/xss_foliate.rb

Overview

A replacement for

XssTerminate[http://github.com/look/xss_terminate/tree/master],
XssFoliate will strip all tags from your ActiveRecord models'
string and text attributes.

Please read the Loofah documentation for an explanation of the
different scrubbing methods, and
Loofah::XssFoliate::ClassMethods for more information on the
methods.

If you'd like to scrub all fields in all your models (and perhaps *opt-out* in specific models):

  # config/initializers/loofah.rb
  require 'loofah-activerecord'
  Loofah::XssFoliate.xss_foliate_all_models

  # db/schema.rb
  create_table "posts" do |t|
    t.string  "title"
    t.text    "body"
    t.string  "author"
  end

  # app/model/post.rb
  class Post < ActiveRecord::Base
    #  by default, title, body and author will all be scrubbed down to their inner text
  end

OR

  # app/model/post.rb
  class Post < ActiveRecord::Base
    xss_foliate :except => :author  # opt-out of sanitizing author
  end

OR

    xss_foliate :strip => [:title, body]  # strip unsafe tags from both title and body

OR

    xss_foliate :except => :title         # scrub body and author but not title

OR

    # remove all tags from title, remove unsafe tags from body
    xss_foliate :sanitize => :title, :scrub => :body

OR

    # old xss_terminate code will work if you s/_terminate/_foliate/
    # was: xss_terminate :except => [:title], :sanitize => [:body]
    xss_foliate :except => [:title], :sanitize => [:body]

Alternatively, if you would like to *opt-in* to the models and attributes that are sanitized:

  # config/initializers/loofah.rb
  require 'loofah-activerecord'
  ## note omission of call to Loofah::XssFoliate.xss_foliate_all_models

  # db/schema.rb
  create_table "posts" do |t|
    t.string  "title"
    t.text    "body"
    t.string  "author"
  end

  # app/model/post.rb
  class Post < ActiveRecord::Base
    xss_foliate  # scrub title, body and author down to their inner text
  end

Defined Under Namespace

Modules: ClassMethods, InstanceMethods

Class Method Summary collapse

Class Method Details

.xss_foliate_all_modelsObject 



201
202
203
 
# File 'lib/loofah-activerecord/xss_foliate.rb', line 201

def self.xss_foliate_all_models
  ::ActiveRecord::Base.xss_foliate
end