module ActionView::Helpers::SanitizeHelper
def sanitize(html, options = {})
NOTE: +Rails::HTML5::Sanitizer+ is not supported on JRuby, so on JRuby platforms \Rails will
config.action_view.sanitizer_vendor = Rails::HTML5::Sanitizer
# In config/application.rb
behavior:
Or, if you're upgrading from a previous version of \Rails and wish to opt into the HTML5
config.action_view.sanitizer_vendor = Rails::HTML4::Sanitizer
# In config/application.rb
can do so by setting the following in your application configuration:
available, see NOTE below). If you wish to revert back to the previous HTML4 behavior, you
The default, starting in \Rails 7.1, is to use an HTML5 parser for sanitization (if it is
config.action_view.sanitized_allowed_attributes = ['href', 'title']
config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
# In config/application.rb
To set the default allowed tags or attributes across your application:
==== Global Configuration
information about defining custom +Loofah::Scrubber+ objects.
See {Loofah's documentation}[https://github.com/flavorjones/loofah] for more
<%= sanitize @comment.body, scrubber: scrubber %>
end
node.remove if node.name == 'script'
scrubber = Loofah::Scrubber.new do |node|
===== Providing a custom +Loofah::Scrubber+
documentation about +Rails::HTML+ scrubbers.
See {Rails HTML Sanitizer}[https://github.com/rails/rails-html-sanitizer] for
<%= sanitize @comment.body, scrubber: CommentScrubber.new %>
end
end
node.text?
def skip_node?(node)
end
self.attributes = %w( style )
self.tags = %w( form script comment blockquote )
super
def initialize
class CommentScrubber < Rails::HTML::PermitScrubber
===== Providing a custom +Rails::HTML+ scrubber
<%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
===== Providing custom lists of permitted tags and attributes
<%= sanitize @comment.body %>
===== Normal use
==== Examples
custom tags and attributes.
defines custom sanitization rules. A custom scrubber takes precedence over
or {Loofah::Scrubber}[https://github.com/flavorjones/loofah] object that
A {Rails::HTML scrubber}[https://github.com/rails/rails-html-sanitizer]
[+:scrubber+]
An array of allowed attributes.
[+:attributes+]
An array of allowed tags.
[+:tags+]
==== Options
resulting markup is valid or even well-formed.
Please note that sanitizing user-provided text does not guarantee that the
Custom sanitization rules can also be provided.
Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
The default sanitizer is +Rails::HTML5::SafeListSanitizer+. See {Rails HTML
around these protocol filters.
also protecting against attempts to use Unicode, ASCII, and hex character references to work
It also strips +href+ / +src+ attributes with unsafe protocols like +javascript:+, while
Sanitizes HTML input, stripping all but known-safe tags and attributes.
def sanitize(html, options = {}) self.class.safe_list_sanitizer.sanitize(html, options)&.html_safe end
def sanitize_css(style)
def sanitize_css(style) self.class.safe_list_sanitizer.sanitize_css(style) end
def strip_links(html)
strip_links('<malformed & link')
# => Blog: Visit.
strip_links('Blog: Visit.')
# => Please e-mail me at me@email.com.
strip_links('Please e-mail me at me@email.com.')
# => Ruby on Rails
strip_links('Ruby on Rails')
Strips all link tags from +html+ leaving just the link text.
def strip_links(html) self.class.link_sanitizer.sanitize(html) end
def strip_tags(html)
strip_tags("> A quote from Smith & Wesson")
# => Welcome to my website!
strip_tags("
Welcome to my website!
")# => Bold no more! See more here...
strip_tags("Bold no more! See more here...")
# => Strip these tags!
strip_tags("Strip these tags!")
Strips all HTML tags from +html+, including comments and special characters.
def strip_tags(html) self.class.full_sanitizer.sanitize(html)&.html_safe end