Rails Html Sanitizers
In Rails 5 this gem will be responsible for sanitizing HTML fragments in Rails applications,
i.e. in the
Include it in your Gemfile now to test for any incompatibilities and enjoy a safer and cleaner future.
Add this line to your application's Gemfile:
And then execute:
Or install it yourself as:
$ gem install rails-html-sanitizer
All sanitizers respond to
full_sanitizer = ::::.new full_sanitizer.sanitize("<b>Bold</b> no more! <a href='more.html'>See more here</a>...") # => Bold no more! See more here...
= ::::. .sanitize('<a href="example.com">Only the link text will be kept.</a>') # => Only the link text will be kept.
white_list_sanitizer = ::::. # sanitize via an extensive white list of allowed elements white_list_sanitizer.sanitize(@article.body) # white list only the supplied tags and attributes white_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style)) # white list via a custom scrubber white_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new) # white list sanitizer can also sanitize css white_list_sanitizer.sanitize_css('background-color: #000;')
Scrubbers are objects responsible for removing nodes or attributes you don't want in your HTML document.
This gem includes two scrubbers
This scrubber allows you to permit only the tags and attributes you want.
scrubber = ::::. scrubber. = ['a'] html_fragment = Loofah.fragment('<a><img/ ></a>') html_fragment.scrub!(scrubber) html_fragment.to_s # => "<a></a>"
PermitScrubber picks out tags and attributes to permit in sanitization,
Rails::Html::TargetScrubber targets them for removal.
scrubber = ::::. scrubber. = ['img'] html_fragment = Loofah.fragment('<a><img/ ></a>') html_fragment.scrub!(scrubber) html_fragment.to_s # => "<a></a>"
You can also create custom scrubbers in your application if you want to.
class CommentScrubber < :::: def allowed_node?(node) !%w(form script comment blockquote).include?(node.name) end def skip_node?(node) node.text? end def scrub_attribute?(name) name == "style" end end
Rails::Html::PermitScrubber documentation to learn more about which methods can be overridden.
Custom Scrubber in a Rails app
CommentScrubber from above, you can use this in a Rails view like so:
<%= sanitize @comment, scrubber: CommentScrubber.new %>
Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.
node argument passed to some methods in a custom scrubber is an instance of
- Fork it
- Create your feature branch (
git checkout -b my-new-feature)
- Commit your changes (
git commit -am 'Add some feature')
- Push to the branch (
git push origin my-new-feature)
- Create new Pull Request