Class: Rails::HTML5::SafeListSanitizer

Inherits:

Rails::HTML::Sanitizer

Object
Rails::HTML::Sanitizer
Rails::HTML5::SafeListSanitizer

show all

Includes:: Rails::HTML::Concern::ComposedSanitize, Rails::HTML::Concern::Parser::HTML5, Rails::HTML::Concern::Scrubber::SafeList, Rails::HTML::Concern::Serializer::UTF8Encode

Defined in:: lib/rails/html/sanitizer.rb

Overview

Rails::HTML5::SafeListSanitizer

Sanitizes HTML5 and CSS from an extensive safe list.

Whitespace

We can’t make any guarantees about whitespace being kept or stripped. Loofah uses Nokogiri, which wraps either a C or Java parser for the respective Ruby implementation. Those two parsers determine how whitespace is ultimately handled.

When the stripped markup will be rendered the users browser won’t take whitespace into account anyway. It might be better to suggest your users wrap their whitespace sensitive content in pre tags or that you do so automatically.

Options

Sanitizes both html and css via the safe lists found in Rails::HTML::Concern::Scrubber::SafeList

SafeListSanitizer also accepts options to configure the safe list used when sanitizing html. There’s a class level option:

Rails::HTML5::SafeListSanitizer.allowed_tags = %w(table tr td)
Rails::HTML5::SafeListSanitizer.allowed_attributes = %w(id class style)

Tags and attributes can also be passed to sanitize. Passed options take precedence over the class level options.

Examples

safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new

# default: sanitize via a extensive safe list of allowed elements
safe_list_sanitizer.sanitize(@article.body)

# sanitize via the supplied tags and attributes
safe_list_sanitizer.sanitize(
  @article.body,
  tags: %w(table tr td),
  attributes: %w(id class style),
)

# sanitize via a custom Loofah scrubber
safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)

# prune nodes from the tree instead of stripping tags and leaving inner content
safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new(prune: true)

# the sanitizer can also sanitize CSS
safe_list_sanitizer.sanitize_css('background-color: #000;')

Constant Summary

Constants included from Rails::HTML::Concern::Scrubber::SafeList

Rails::HTML::Concern::Scrubber::SafeList::DEFAULT_ALLOWED_ATTRIBUTES, Rails::HTML::Concern::Scrubber::SafeList::DEFAULT_ALLOWED_TAGS

Constants inherited from Rails::HTML::Sanitizer

Rails::HTML::Sanitizer::VERSION

Method Summary

Class: Rails::HTML5::SafeListSanitizer

Overview

Rails::HTML5::SafeListSanitizer

Whitespace

Options

Examples

Constant Summary

Constants included from Rails::HTML::Concern::Scrubber::SafeList

Constants inherited from Rails::HTML::Sanitizer

Method Summary

Methods included from Rails::HTML::Concern::Serializer::UTF8Encode

Methods included from Rails::HTML::Concern::Scrubber::SafeList

Methods included from Rails::HTML::Concern::Parser::HTML5

Methods included from Rails::HTML::Concern::ComposedSanitize

Methods inherited from Rails::HTML::Sanitizer

Methods included from Rails::HTML4::Sanitizer::VendorMethods