Module: Loofah::XssFoliate

Defined in:

lib/loofah/activerecord/xss_foliate.rb

Overview

A replacement for

XssTerminate[http://github.com/look/xss_terminate/tree/master],
XssFoliate will strip all tags from your ActiveRecord models'
string and text attributes.

Please read the Loofah documentation for an explanation of the
different scrubbing methods, and
Loofah::XssFoliate::ClassMethods for more information on the
methods.

If you'd like to scrub all fields in all your models (and perhaps *opt-out* in specific models):

  # config/initializers/loofah.rb
  require 'loofah-activerecord'
  Loofah::XssFoliate.xss_foliate_all_models

  # db/schema.rb
  create_table "posts" do |t|
    t.string  "title"
    t.text    "body"
    t.string  "author"
  end

  # app/model/post.rb
  class Post < ActiveRecord::Base
    #  by default, title, body and author will all be scrubbed down to their inner text
  end

OR

  # app/model/post.rb
  class Post < ActiveRecord::Base
    xss_foliate :except => :author  # opt-out of sanitizing author
  end

OR

    xss_foliate :strip => [:title, body]  # strip unsafe tags from both title and body

OR

    xss_foliate :except => :title         # scrub body and author but not title

OR

    # remove all tags from title, remove unsafe tags from body
    xss_foliate :sanitize => :title, :scrub => :body

OR

    # old xss_terminate code will work if you s/_terminate/_foliate/
    # was: xss_terminate :except => [:title], :sanitize => [:body]
    xss_foliate :except => [:title], :sanitize => [:body]

OR

    # when the final content is intended for non-html contexts,
    # such as plaintext email, you can turn off entity encoding
    # for all fields
    xss_foliate :encode_special_chars => false   # do *not* escape HTML entities in any field. NOTE THAT THE RESULT IS UNSAFE FOR RENDERING IN HTML CONTEXTS.

OR

    # or you can turn off entity encoding only for specific fields.
    xss_foliate :unencode_special_chars => [:title]  # will escape HTML entities in all fields except title. NOTE THAT `TITLE` IS UNSAFE FOR RENDERING IN HTML CONTEXTS.

Alternatively, if you would like to *opt-in* to the models and attributes that are sanitized:

  # config/initializers/loofah.rb
  require 'loofah-activerecord'
  ## note omission of call to Loofah::XssFoliate.xss_foliate_all_models

  # db/schema.rb
  create_table "posts" do |t|
    t.string  "title"
    t.text    "body"
    t.string  "author"
  end

  # app/model/post.rb
  class Post < ActiveRecord::Base
    xss_foliate  # scrub title, body and author down to their inner text
  end

Defined Under Namespace

Modules: ClassMethods, InstanceMethods

Class Method Summary

• .xss_foliate_all_models ⇒ Object

Class Method Details

.xss_foliate_all_models ⇒ Object

# File 'lib/loofah/activerecord/xss_foliate.rb', line 263

def self.xss_foliate_all_models
  ::ActiveRecord::Base.xss_foliate
end