Module: Loofah::XssFoliate
- Defined in:
- lib/loofah/activerecord/xss_foliate.rb
Overview
A replacement for
XssTerminate[http://github.com/look/xss_terminate/tree/master],
XssFoliate will strip all tags from your ActiveRecord models'
string and text attributes.
Please read the Loofah documentation for an explanation of the
different scrubbing methods, and
Loofah::XssFoliate::ClassMethods for more information on the
methods.
If you'd like to scrub all fields in all your models (and perhaps *opt-out* in specific models):
# config/initializers/loofah.rb
require 'loofah-activerecord'
Loofah::XssFoliate.xss_foliate_all_models
# db/schema.rb
create_table "posts" do |t|
t.string "title"
t.text "body"
t.string "author"
end
# app/model/post.rb
class Post < ActiveRecord::Base
# by default, title, body and author will all be scrubbed down to their inner text
end
OR
# app/model/post.rb
class Post < ActiveRecord::Base
xss_foliate :except => :author # opt-out of sanitizing author
end
OR
xss_foliate :strip => [:title, body] # strip unsafe tags from both title and body
OR
xss_foliate :except => :title # scrub body and author but not title
OR
# remove all tags from title, remove unsafe tags from body
xss_foliate :sanitize => :title, :scrub => :body
OR
# old xss_terminate code will work if you s/_terminate/_foliate/
# was: xss_terminate :except => [:title], :sanitize => [:body]
xss_foliate :except => [:title], :sanitize => [:body]
OR
# when the final content is intended for non-html contexts,
# such as plaintext email, you can turn off entity encoding
# for all fields
xss_foliate :encode_special_chars => false # do *not* escape HTML entities in any field. NOTE THAT THE RESULT IS UNSAFE FOR RENDERING IN HTML CONTEXTS.
OR
# or you can turn off entity encoding only for specific fields.
xss_foliate :unencode_special_chars => [:title] # will escape HTML entities in all fields except title. NOTE THAT `TITLE` IS UNSAFE FOR RENDERING IN HTML CONTEXTS.
Alternatively, if you would like to *opt-in* to the models and attributes that are sanitized:
# config/initializers/loofah.rb
require 'loofah-activerecord'
## note omission of call to Loofah::XssFoliate.xss_foliate_all_models
# db/schema.rb
create_table "posts" do |t|
t.string "title"
t.text "body"
t.string "author"
end
# app/model/post.rb
class Post < ActiveRecord::Base
xss_foliate # scrub title, body and author down to their inner text
end
Defined Under Namespace
Modules: ClassMethods, InstanceMethods
Class Method Summary collapse
Class Method Details
.xss_foliate_all_models ⇒ Object
263 264 265 |
# File 'lib/loofah/activerecord/xss_foliate.rb', line 263 def self.xss_foliate_all_models ::ActiveRecord::Base.xss_foliate end |