Module: Rails::HTML::Concern::Scrubber::SafeList

Included in:
Rails::HTML4::SafeListSanitizer, Rails::HTML5::SafeListSanitizer
Defined in:
lib/rails/html/sanitizer.rb

Constant Summary collapse

DEFAULT_ALLOWED_TAGS =

The default safe list for tags

Set.new([
  "a",
  "abbr",
  "acronym",
  "address",
  "b",
  "big",
  "blockquote",
  "br",
  "cite",
  "code",
  "dd",
  "del",
  "dfn",
  "div",
  "dl",
  "dt",
  "em",
  "h1",
  "h2",
  "h3",
  "h4",
  "h5",
  "h6",
  "hr",
  "i",
  "img",
  "ins",
  "kbd",
  "li",
  "mark",
  "ol",
  "p",
  "pre",
  "samp",
  "small",
  "span",
  "strong",
  "sub",
  "sup",
  "time",
  "tt",
  "ul",
  "var",
]).freeze
DEFAULT_ALLOWED_ATTRIBUTES =

The default safe list for attributes

Set.new([
  "abbr",
  "alt",
  "cite",
  "class",
  "datetime",
  "height",
  "href",
  "lang",
  "name",
  "src",
  "title",
  "width",
  "xml:lang",
]).freeze

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.included(klass) ⇒ Object



142
143
144
145
146
147
148
149
150
# File 'lib/rails/html/sanitizer.rb', line 142

def self.included(klass)
  class << klass
    attr_accessor :allowed_tags
    attr_accessor :allowed_attributes
  end

  klass.allowed_tags = DEFAULT_ALLOWED_TAGS.dup
  klass.allowed_attributes = DEFAULT_ALLOWED_ATTRIBUTES.dup
end

Instance Method Details

#initialize(prune: false) ⇒ Object



152
153
154
# File 'lib/rails/html/sanitizer.rb', line 152

def initialize(prune: false)
  @permit_scrubber = PermitScrubber.new(prune: prune)
end

#sanitize_css(style_string) ⇒ Object



169
170
171
# File 'lib/rails/html/sanitizer.rb', line 169

def sanitize_css(style_string)
  Loofah::HTML5::Scrub.scrub_css(style_string)
end

#scrub(fragment, options = {}) ⇒ Object



156
157
158
159
160
161
162
163
164
165
166
167
# File 'lib/rails/html/sanitizer.rb', line 156

def scrub(fragment, options = {})
  if scrubber = options[:scrubber]
    # No duck typing, Loofah ensures subclass of Loofah::Scrubber
    fragment.scrub!(scrubber)
  elsif allowed_tags(options) || allowed_attributes(options)
    @permit_scrubber.tags = allowed_tags(options)
    @permit_scrubber.attributes = allowed_attributes(options)
    fragment.scrub!(@permit_scrubber)
  else
    fragment.scrub!(:strip)
  end
end