rails-html-sanitizer

by rails

213 Stars 59 Forks Last release: about 1 year ago (v1.3.0) MIT License 150 Commits 8 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

Rails Html Sanitizers

In Rails 4.2 and above this gem will be responsible for sanitizing HTML fragments in Rails applications, i.e. in the

sanitize
,
sanitize_css
,
strip_tags
and
strip_links
methods.

Rails Html Sanitizer is only intended to be used with Rails applications. If you need similar functionality in non Rails apps consider using Loofah directly (that's what handles sanitization under the hood).

Installation

Add this line to your application's Gemfile:

gem 'rails-html-sanitizer'

And then execute:

$ bundle

Or install it yourself as:

$ gem install rails-html-sanitizer

Usage

Sanitizers

All sanitizers respond to

sanitize
.

FullSanitizer

full_sanitizer = Rails::Html::FullSanitizer.new
full_sanitizer.sanitize("Bold no more!  See more here...")
# => Bold no more!  See more here...

LinkSanitizer

link_sanitizer = Rails::Html::LinkSanitizer.new
link_sanitizer.sanitize('Only the link text will be kept.')
# => Only the link text will be kept.

SafeListSanitizer

safe_list_sanitizer = Rails::Html::SafeListSanitizer.new

sanitize via an extensive safe list of allowed elements

safe_list_sanitizer.sanitize(@article.body)

safe list only the supplied tags and attributes

safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))

safe list via a custom scrubber

safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)

safe list sanitizer can also sanitize css

safe_list_sanitizer.sanitize_css('background-color: #000;')

Scrubbers

Scrubbers are objects responsible for removing nodes or attributes you don't want in your HTML document.

This gem includes two scrubbers

Rails::Html::PermitScrubber
and
Rails::Html::TargetScrubber
.

Rails::Html::PermitScrubber

This scrubber allows you to permit only the tags and attributes you want.

scrubber = Rails::Html::PermitScrubber.new
scrubber.tags = ['a']

html_fragment = Loofah.fragment('') html_fragment.scrub!(scrubber) html_fragment.to_s # => ""

Rails::Html::TargetScrubber

Where

PermitScrubber
picks out tags and attributes to permit in sanitization,
Rails::Html::TargetScrubber
targets them for removal.
scrubber = Rails::Html::TargetScrubber.new
scrubber.tags = ['img']

html_fragment = Loofah.fragment('') html_fragment.scrub!(scrubber) html_fragment.to_s # => ""

Custom Scrubbers

You can also create custom scrubbers in your application if you want to.

class CommentScrubber < Rails::Html::PermitScrubber
  def initialize
    super
    self.tags = %w( form script comment blockquote )
    self.attributes = %w( style )
  end

def skip_node?(node) node.text? end end

See

Rails::Html::PermitScrubber
documentation to learn more about which methods can be overridden.

Custom Scrubber in a Rails app

Using the

CommentScrubber
from above, you can use this in a Rails view like so:

Read more

Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer. - Loofah and Loofah Scrubbers

The

node
argument passed to some methods in a custom scrubber is an instance of
Nokogiri::XML::Node
. -
Nokogiri::XML::Node
- Nokogiri

Contributing to Rails Html Sanitizers

Rails Html Sanitizers is work of many contributors. You're encouraged to submit pull requests, propose features and discuss issues.

See CONTRIBUTING.

License

Rails Html Sanitizers is released under the MIT License.

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.