Class: PublishingPlatformMarkdown::HtmlSanitizer

Inherits:

Object

Object
PublishingPlatformMarkdown::HtmlSanitizer

show all

Defined in:: lib/publishing_platform_markdown/html_sanitizer.rb

Instance Method Summary collapse

#initialize(dirty_html, _options = {}) ⇒ HtmlSanitizer constructor

A new instance of HtmlSanitizer.
#sanitize(allowed_elements: []) ⇒ Object
#sanitize_config(allowed_elements: []) ⇒ Object

Constructor Details

#initialize(dirty_html, _options = {}) ⇒ `HtmlSanitizer`

Returns a new instance of HtmlSanitizer.



2
3
4

# File 'lib/publishing_platform_markdown/html_sanitizer.rb', line 2

def initialize(dirty_html, _options = {})
  @dirty_html = dirty_html
end

Instance Method Details

#sanitize(allowed_elements: []) ⇒ `Object`



6
7
8

# File 'lib/publishing_platform_markdown/html_sanitizer.rb', line 6

def sanitize(allowed_elements: [])
  Sanitize.fragment(@dirty_html, sanitize_config(allowed_elements:))
end

#sanitize_config(allowed_elements: []) ⇒ `Object`

# File 'lib/publishing_platform_markdown/html_sanitizer.rb', line 10

def sanitize_config(allowed_elements: [])
  # We purposefully disable style elements which Sanitize::Config::RELAXED allows
  elements = Sanitize::Config::RELAXED[:elements] - %w[style] +
    %w[svg path].concat(allowed_elements)

  Sanitize::Config.merge(
    Sanitize::Config::RELAXED,
    elements:,
    attributes: {
      # We purposefully disable style attributes which Sanitize::Config::RELAXED allows
      :all => Sanitize::Config::RELAXED[:attributes][:all] + %w[role aria-label] - %w[style],
      "a" => Sanitize::Config::RELAXED[:attributes]["a"] + [:data] + %w[draggable],
      "svg" => %w[xmlns width height viewbox focusable],
      "path" => %w[fill d],
      "div" => [:data],
      # The style attributes are permitted here just for the ones Kramdown for table alignment
      # we replace them in a post processor.
      "th" => Sanitize::Config::RELAXED[:attributes]["th"] + %w[style],
      "td" => Sanitize::Config::RELAXED[:attributes]["td"] + %w[style],
    },
    # The only styling we permit is text-align on table cells (which is the CSS kramdown
    # generates), we can therefore only allow this one CSS property
    css: { properties: %w[text-align] },
  )
end

Class: PublishingPlatformMarkdown::HtmlSanitizer

Instance Method Summary collapse

Constructor Details

#initialize(dirty_html, _options = {}) ⇒ HtmlSanitizer

Instance Method Details

#sanitize(allowed_elements: []) ⇒ Object

#sanitize_config(allowed_elements: []) ⇒ Object

#initialize(dirty_html, _options = {}) ⇒ `HtmlSanitizer`

#sanitize(allowed_elements: []) ⇒ `Object`

#sanitize_config(allowed_elements: []) ⇒ `Object`