Module: ActionView::Helpers::SanitizeHelper
- Extended by:
- ActiveSupport::Concern
- Included in:
- ActionView::Helpers, TextHelper
- Defined in:
- actionview/lib/action_view/helpers/sanitize_helper.rb
Overview
The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend Action View making them callable within your template files.
Defined Under Namespace
Modules: ClassMethods
Instance Method Summary collapse
-
#sanitize(html, options = {}) ⇒ Object
This
sanitize
helper will html encode all tags and strip all attributes that aren’t specifically allowed. -
#sanitize_css(style) ⇒ Object
Sanitizes a block of CSS code.
-
#strip_links(html) ⇒ Object
Strips all link tags from
text
leaving just the link text. -
#strip_tags(html) ⇒ Object
Strips all HTML tags from the
html
, including comments.
Methods included from ActiveSupport::Concern
append_features, extended, included
Instance Method Details
#sanitize(html, options = {}) ⇒ Object
This sanitize
helper will html encode all tags and strip all attributes that aren’t specifically allowed.
It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out the extensive test suite.
<%= sanitize @article.body %>
You can add or remove tags/attributes if you want to customize it a bit. See ActionView::Base for full docs on the available options. You can add tags/attributes for single uses of sanitize
by passing either the :attributes
or :tags
options:
Normal Use
<%= sanitize @article.body %>
Custom Use (only the mentioned tags and attributes are allowed, nothing else)
<%= sanitize @article.body, tags: %w(table tr td), attributes: %w(id class style) %>
Add table tags to the default allowed tags
class Application < Rails::Application
config.action_view. = 'table', 'tr', 'td'
end
Remove tags to the default allowed tags
class Application < Rails::Application
config.after_initialize do
ActionView::Base..delete 'div'
end
end
Change allowed default attributes
class Application < Rails::Application
config.action_view.sanitized_allowed_attributes = ['id', 'class', 'style']
end
Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped ‘<’, ‘>’, ‘&’ characters and confuse browsers.
59 60 61 |
# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 59 def sanitize(html, = {}) self.class.white_list_sanitizer.sanitize(html, ).try(:html_safe) end |
#sanitize_css(style) ⇒ Object
Sanitizes a block of CSS code. Used by sanitize
when it comes across a style attribute.
64 65 66 |
# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 64 def sanitize_css(style) self.class.white_list_sanitizer.sanitize_css(style) end |
#strip_links(html) ⇒ Object
Strips all link tags from text
leaving just the link text.
strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
# => Ruby on Rails
strip_links('Please e-mail me at <a href="mailto:[email protected]">[email protected]</a>.')
# => Please e-mail me at [email protected].
strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
# => Blog: Visit.
94 95 96 |
# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 94 def strip_links(html) self.class.link_sanitizer.sanitize(html) end |
#strip_tags(html) ⇒ Object
Strips all HTML tags from the html
, including comments. This uses the html-scanner tokenizer and so its HTML parsing ability is limited by that of html-scanner.
("Strip <i>these</i> tags!")
# => Strip these tags!
("<b>Bold</b> no more! <a href='more.html'>See more here</a>...")
# => Bold no more! See more here...
("<div id='top-bar'>Welcome to my website!</div>")
# => Welcome to my website!
80 81 82 |
# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 80 def (html) self.class.full_sanitizer.sanitize(html) end |