module ActionView::Helpers::SanitizeHelper

def sanitize(html, options = {})

confuse browsers.
The output may still contain e.g. unescaped '<', '>', '&' characters and
resulting markup is valid (conforming to a document type) or even well-formed.
Please note that sanitizing user-provided text does not guarantee that the

end
config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
class Application < Rails::Application

Change allowed default attributes

end
end
ActionView::Base.sanitized_allowed_tags.delete 'div'
config.after_initialize do
class Application < Rails::Application

Remove tags to the default allowed tags

end
config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
class Application < Rails::Application

Add table tags to the default allowed tags

<%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style) %>

Custom Use (only the mentioned tags and attributes are allowed, nothing else)

<%= sanitize @article.body %>

Normal Use

:attributes or :tags options:
tags/attributes for single uses of +sanitize+ by passing either the
See ActionView::Base for full docs on the available options. You can add
You can add or remove tags/attributes if you want to customize it a bit.

<%= sanitize @article.body %>

the extensive test suite.
unicode/ascii/hex values to get past the javascript: filters. Check out
It does its best to counter any tricks that hackers may use, like throwing in
It also strips href/src tags with invalid protocols, like javascript: especially.

aren't specifically allowed.
This +sanitize+ helper will html encode all tags and strip all attributes that

def sanitize(html, options = {})
  self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
end

Modules

Classes

module ActionView::Helpers::SanitizeHelper

def sanitize(html, options = {})

Instance Methods