module ActionView::Helpers::SanitizeHelper
The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend Action View making them callable within your template files.
Public Instance Methods
# File actionview/lib/action_view/helpers/sanitize_helper.rb, line 82 def sanitize(html, options = {}) self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe) end
Sanitizes HTML input, stripping all tags and attributes that aren't whitelisted.
It also strips href/src attributes with unsafe protocols like javascript:
, while also protecting against attempts to use Unicode, ASCII, and hex character references to work around these protocol filters.
The default sanitizer is Rails::Html::WhiteListSanitizer. See Rails HTML Sanitizers for more information.
Custom sanitization rules can also be provided.
Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid or even well-formed. For example, the output may still contain unescaped characters like <
, >
, or &
.
Options
-
:tags
- An array of allowed tags. -
:attributes
- An array of allowed attributes. -
:scrubber
- A Rails::Html scrubber or Loofah::Scrubber object that defines custom sanitization rules. A custom scrubber takes precedence over custom tags and attributes.
Examples
Normal use:
<%= sanitize @comment.body %>
Providing custom whitelisted tags and attributes:
<%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
Providing a custom Rails::Html scrubber:
class CommentScrubber < Rails::Html::PermitScrubber def allowed_node?(node) !%w(form script comment blockquote).include?(node.name) end def skip_node?(node) node.text? end def scrub_attribute?(name) name == 'style' end end <%= sanitize @comment.body, scrubber: CommentScrubber.new %>
See Rails HTML Sanitizer for documentation about Rails::Html scrubbers.
Providing a custom Loofah::Scrubber:
scrubber = Loofah::Scrubber.new do |node| node.remove if node.name == 'script' end <%= sanitize @comment.body, scrubber: scrubber %>
See Loofah’s documentation for more information about defining custom Loofah::Scrubber objects.
To set the default allowed tags or attributes across your application:
# In config/application.rb config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a'] config.action_view.sanitized_allowed_attributes = ['href', 'title']
# File actionview/lib/action_view/helpers/sanitize_helper.rb, line 87 def sanitize_css(style) self.class.white_list_sanitizer.sanitize_css(style) end
Sanitizes a block of CSS code. Used by sanitize
when it comes across a style attribute.
# File actionview/lib/action_view/helpers/sanitize_helper.rb, line 115 def strip_links(html) self.class.link_sanitizer.sanitize(html) end
Strips all link tags from html
leaving just the link text.
strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>') # => Ruby on Rails strip_links('Please e-mail me at <a href="mailto:[email protected]">[email protected]</a>.') # => Please e-mail me at [email protected]. strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.') # => Blog: Visit.
# File actionview/lib/action_view/helpers/sanitize_helper.rb, line 101 def strip_tags(html) self.class.full_sanitizer.sanitize(html, encode_special_chars: false) end
Strips all HTML tags from html
, including comments.
strip_tags("Strip <i>these</i> tags!") # => Strip these tags! strip_tags("<b>Bold</b> no more! <a href='more.html'>See more here</a>...") # => Bold no more! See more here... strip_tags("<div id='top-bar'>Welcome to my website!</div>") # => Welcome to my website!
© 2004–2018 David Heinemeier Hansson
Licensed under the MIT License.