Class: Rails::Html::SafeListSanitizer
- Defined in:
- lib/rails/html/sanitizer.rb
Overview
Rails::Html::SafeListSanitizer
Sanitizes html and css from an extensive safe list (see link further down).
Whitespace
We can’t make any guarantees about whitespace being kept or stripped. Loofah uses Nokogiri, which wraps either a C or Java parser for the respective Ruby implementation. Those two parsers determine how whitespace is ultimately handled.
When the stripped markup will be rendered the users browser won’t take whitespace into account anyway. It might be better to suggest your users wrap their whitespace sensitive content in pre tags or that you do so automatically.
Options
Sanitizes both html and css via the safe lists found here: github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb
SafeListSanitizer also accepts options to configure the safe list used when sanitizing html. There’s a class level option: Rails::Html::SafeListSanitizer.allowed_tags = %w(table tr td) Rails::Html::SafeListSanitizer.allowed_attributes = %w(id class style)
Tags and attributes can also be passed to sanitize
. Passed options take precedence over the class level options.
Examples
safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
Sanitize css doesn’t take options safe_list_sanitizer.sanitize_css(‘background-color: #000;’)
Default: sanitize via a extensive safe list of allowed elements safe_list_sanitizer.sanitize(@article.body)
Safe list via the supplied tags and attributes safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
Safe list via a custom scrubber safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
Constant Summary
Constants inherited from Sanitizer
Rails::Html::Sanitizer::VERSION
Class Attribute Summary collapse
-
.allowed_attributes ⇒ Object
Returns the value of attribute allowed_attributes.
-
.allowed_tags ⇒ Object
Returns the value of attribute allowed_tags.
Instance Method Summary collapse
-
#initialize ⇒ SafeListSanitizer
constructor
A new instance of SafeListSanitizer.
- #sanitize(html, options = {}) ⇒ Object
- #sanitize_css(style_string) ⇒ Object
Methods inherited from Sanitizer
full_sanitizer, link_sanitizer, safe_list_sanitizer, white_list_sanitizer
Constructor Details
#initialize ⇒ SafeListSanitizer
Returns a new instance of SafeListSanitizer.
113 114 115 |
# File 'lib/rails/html/sanitizer.rb', line 113 def initialize @permit_scrubber = PermitScrubber.new end |
Class Attribute Details
.allowed_attributes ⇒ Object
Returns the value of attribute allowed_attributes.
106 107 108 |
# File 'lib/rails/html/sanitizer.rb', line 106 def allowed_attributes @allowed_attributes end |
.allowed_tags ⇒ Object
Returns the value of attribute allowed_tags.
105 106 107 |
# File 'lib/rails/html/sanitizer.rb', line 105 def @allowed_tags end |
Instance Method Details
#sanitize(html, options = {}) ⇒ Object
117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 |
# File 'lib/rails/html/sanitizer.rb', line 117 def sanitize(html, = {}) return unless html return html if html.empty? loofah_fragment = Loofah.fragment(html) if scrubber = [:scrubber] # No duck typing, Loofah ensures subclass of Loofah::Scrubber loofah_fragment.scrub!(scrubber) elsif () || allowed_attributes() @permit_scrubber. = () @permit_scrubber.attributes = allowed_attributes() loofah_fragment.scrub!(@permit_scrubber) else remove_xpaths(loofah_fragment, XPATHS_TO_REMOVE) loofah_fragment.scrub!(:strip) end properly_encode(loofah_fragment, encoding: 'UTF-8') end |
#sanitize_css(style_string) ⇒ Object
138 139 140 |
# File 'lib/rails/html/sanitizer.rb', line 138 def sanitize_css(style_string) Loofah::HTML5::Scrub.scrub_css(style_string) end |