Class: Rails::Html::SafeListSanitizer

Inherits:
Sanitizer
  • Object
show all
Defined in:
lib/rails/html/sanitizer.rb

Overview

Rails::Html::SafeListSanitizer

Sanitizes html and css from an extensive safe list (see link further down).

Whitespace

We can't make any guarantees about whitespace being kept or stripped. Loofah uses Nokogiri, which wraps either a C or Java parser for the respective Ruby implementation. Those two parsers determine how whitespace is ultimately handled.

When the stripped markup will be rendered the users browser won't take whitespace into account anyway. It might be better to suggest your users wrap their whitespace sensitive content in pre tags or that you do so automatically.

Options

Sanitizes both html and css via the safe lists found here: github.com/flavorjones/loofah/blob/master/lib/loofah/html5/whitelist.rb

SafeListSanitizer also accepts options to configure the safe list used when sanitizing html. There's a class level option: Rails::Html::SafeListSanitizer.allowed_tags = %w(table tr td) Rails::Html::SafeListSanitizer.allowed_attributes = %w(id class style)

Tags and attributes can also be passed to sanitize. Passed options take precedence over the class level options.

Examples

safe_list_sanitizer = Rails::Html::SafeListSanitizer.new

Sanitize css doesn't take options safe_list_sanitizer.sanitize_css('background-color: #000;')

Default: sanitize via a extensive safe list of allowed elements safe_list_sanitizer.sanitize(@article.body)

Safe list via the supplied tags and attributes safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))

Safe list via a custom scrubber safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)

Constant Summary

Constants inherited from Sanitizer

Rails::Html::Sanitizer::VERSION

Class Attribute Summary collapse

Instance Method Summary collapse

Methods inherited from Sanitizer

full_sanitizer, link_sanitizer, safe_list_sanitizer, white_list_sanitizer

Constructor Details

#initializeSafeListSanitizer

Returns a new instance of SafeListSanitizer.


113
114
115
# File 'lib/rails/html/sanitizer.rb', line 113

def initialize
  @permit_scrubber = PermitScrubber.new
end

Class Attribute Details

.allowed_attributesObject

Returns the value of attribute allowed_attributes


106
107
108
# File 'lib/rails/html/sanitizer.rb', line 106

def allowed_attributes
  @allowed_attributes
end

.allowed_tagsObject

Returns the value of attribute allowed_tags


105
106
107
# File 'lib/rails/html/sanitizer.rb', line 105

def allowed_tags
  @allowed_tags
end

Instance Method Details

#sanitize(html, options = {}) ⇒ Object


117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
# File 'lib/rails/html/sanitizer.rb', line 117

def sanitize(html, options = {})
  return unless html
  return html if html.empty?

  loofah_fragment = Loofah.fragment(html)

  if scrubber = options[:scrubber]
    # No duck typing, Loofah ensures subclass of Loofah::Scrubber
    loofah_fragment.scrub!(scrubber)
  elsif allowed_tags(options) || allowed_attributes(options)
    @permit_scrubber.tags = allowed_tags(options)
    @permit_scrubber.attributes = allowed_attributes(options)
    loofah_fragment.scrub!(@permit_scrubber)
  else
    remove_xpaths(loofah_fragment, XPATHS_TO_REMOVE)
    loofah_fragment.scrub!(:strip)
  end

  properly_encode(loofah_fragment, encoding: 'UTF-8')
end

#sanitize_css(style_string) ⇒ Object


138
139
140
# File 'lib/rails/html/sanitizer.rb', line 138

def sanitize_css(style_string)
  Loofah::HTML5::Scrub.scrub_css(style_string)
end