module ActionView::Helpers::SanitizeHelper
def sanitize(html, options = {})
confuse browsers.
The output may still contain e.g. unescaped '<', '>', '&' characters and
resulting markup is valid (conforming to a document type) or even well-formed.
Please note that sanitizing user-provided text does not guarantee that the
end
config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
Rails::Initializer.run do |config|
Change allowed default attributes
end
end
ActionView::Base.sanitized_allowed_tags.delete 'div'
config.after_initialize do
Rails::Initializer.run do |config|
Remove tags to the default allowed tags
end
config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
Rails::Initializer.run do |config|
Add table tags to the default allowed tags
<%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style) %>
Custom Use (only the mentioned tags and attributes are allowed, nothing else)
<%= sanitize @article.body %>
Normal Use
available options. You can add tags/attributes for single uses of +sanitize+ by passing either the :attributes or :tags options:
You can add or remove tags/attributes if you want to customize it a bit. See ActionView::Base for full docs on the
<%= sanitize @article.body %>
the extensive test suite.
tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out
It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any
This +sanitize+ helper will html encode all tags and strip all attributes that aren't specifically allowed.
def sanitize(html, options = {}) self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe) end
def sanitize_css(style)
def sanitize_css(style) self.class.white_list_sanitizer.sanitize_css(style) end
def strip_links(html)
strip_links('Blog: Visit.')
# => Please e-mail me at me@email.com.
strip_links('Please e-mail me at me@email.com.')
# => Ruby on Rails
strip_links('Ruby on Rails')
==== Examples
Strips all link tags from +text+ leaving just the link text.
def strip_links(html) self.class.link_sanitizer.sanitize(html) end
def strip_tags(html)
strip_tags("
Welcome to my website!
")# => Bold no more! See more here...
strip_tags("Bold no more! See more here...")
# => Strip these tags!
strip_tags("Strip these tags!")
==== Examples
that of html-scanner.
html-scanner tokenizer and so its HTML parsing ability is limited by
Strips all HTML tags from the +html+, including comments. This uses the
def strip_tags(html) self.class.full_sanitizer.sanitize(html).try(:html_safe) end