lib/loofah/helpers.rb
# frozen_string_literal: true module Loofah module Helpers class << self # # A replacement for Rails's built-in +strip_tags+ helper. # # Loofah::Helpers.strip_tags("<div>Hello <b>there</b></div>") # => "Hello there" # def strip_tags(string_or_io) Loofah.html4_fragment(string_or_io).text end # # A replacement for Rails's built-in +sanitize+ helper. # # Loofah::Helpers.sanitize("<script src=http://ha.ckers.org/xss.js></script>") # # => "<script src=\"http://ha.ckers.org/xss.js\"></script>" # def sanitize(string_or_io) loofah_fragment = Loofah.html4_fragment(string_or_io) loofah_fragment.scrub!(:strip) loofah_fragment.xpath("./form").each(&:remove) loofah_fragment.to_s end # # A replacement for Rails's built-in +sanitize_css+ helper. # # Loofah::Helpers.sanitize_css("display:block;background-image:url(http://example.com/foo.jpg)") # # => "display: block;" # def sanitize_css(style_string) ::Loofah::HTML5::Scrub.scrub_css(style_string) end # # A helper to remove extraneous whitespace from text-ified HTML. # # TODO: remove this in a future major-point-release. # def remove_extraneous_whitespace(string) Loofah.remove_extraneous_whitespace(string) end end module ActionView module ClassMethods # :nodoc: def full_sanitizer @full_sanitizer ||= ::Loofah::Helpers::ActionView::FullSanitizer.new end def safe_list_sanitizer @safe_list_sanitizer ||= ::Loofah::Helpers::ActionView::SafeListSanitizer.new end def white_list_sanitizer warn("warning: white_list_sanitizer is deprecated, please use safe_list_sanitizer instead.") safe_list_sanitizer end end # # Replacement class for Rails's HTML::FullSanitizer. # # To use by default, call this in an application initializer: # # ActionView::Helpers::SanitizeHelper.full_sanitizer = \ # Loofah::Helpers::ActionView::FullSanitizer.new # # Or, to generally opt-in to Loofah's view sanitizers: # # Loofah::Helpers::ActionView.set_as_default_sanitizer # class FullSanitizer def sanitize(html, *args) Loofah::Helpers.strip_tags(html) end end # # Replacement class for Rails's HTML::WhiteListSanitizer. # # To use by default, call this in an application initializer: # # ActionView::Helpers::SanitizeHelper.safe_list_sanitizer = \ # Loofah::Helpers::ActionView::SafeListSanitizer.new # # Or, to generally opt-in to Loofah's view sanitizers: # # Loofah::Helpers::ActionView.set_as_default_sanitizer # class SafeListSanitizer def sanitize(html, *args) Loofah::Helpers.sanitize(html) end def sanitize_css(style_string, *args) Loofah::Helpers.sanitize_css(style_string) end end WhiteListSanitizer = SafeListSanitizer if Object.respond_to?(:deprecate_constant) deprecate_constant :WhiteListSanitizer end end end end