class Rails::Html::SafeListSanitizer

safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
Safe list via a custom scrubber
attributes: %w(id class style))
safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td),
Safe list via the supplied tags and attributes
safe_list_sanitizer.sanitize(@article.body)
Default: sanitize via a extensive safe list of allowed elements
safe_list_sanitizer.sanitize_css(‘background-color: #000;’)
Sanitize css doesn’t take options
safe_list_sanitizer = Rails::Html::SafeListSanitizer.new
=== Examples
Passed options take precedence over the class level options.
Tags and attributes can also be passed to sanitize.
Rails::Html::SafeListSanitizer.allowed_attributes = %w(id class style)
Rails::Html::SafeListSanitizer.allowed_tags = %w(table tr td)
There’s a class level option:
the safe list used when sanitizing html.
SafeListSanitizer also accepts options to configure
Sanitizes both html and css via the safe lists found here:
=== Options
so automatically.
wrap their whitespace sensitive content in pre tags or that you do
whitespace into account anyway. It might be better to suggest your users
When the stripped markup will be rendered the users browser won’t take
Those two parsers determine how whitespace is ultimately handled.
respective Ruby implementation.
Loofah uses Nokogiri, which wraps either a C or Java parser for the
We can’t make any guarantees about whitespace being kept or stripped.
=== Whitespace
Sanitizes html and css from an extensive safe list (see link further down).
=== Rails::Html::SafeListSanitizer

def allowed_attributes(options)

def allowed_attributes(options)
  options[:attributes] || self.class.allowed_attributes
end

def allowed_tags(options)

def allowed_tags(options)
  if options[:tags]
    remove_safelist_tag_combinations(options[:tags])
  else
    self.class.allowed_tags
  end
end

def initialize

def initialize
  @permit_scrubber = PermitScrubber.new
end

def loofah_using_html5?

def loofah_using_html5?
  # future-proofing, see https://github.com/flavorjones/loofah/pull/239
  Loofah.respond_to?(:html5_mode?) && Loofah.html5_mode?
end

def remove_safelist_tag_combinations(tags)

def remove_safelist_tag_combinations(tags)
  if !loofah_using_html5? && tags.include?("select") && tags.include?("style")
    warn("WARNING: #{self.class}: removing 'style' from safelist, should not be combined with 'select'")
    tags.delete("style")
  end
  tags
end

def sanitize(html, options = {})

def sanitize(html, options = {})
  return unless html
  return html if html.empty?
  loofah_fragment = Loofah.fragment(html)
  if scrubber = options[:scrubber]
    # No duck typing, Loofah ensures subclass of Loofah::Scrubber
    loofah_fragment.scrub!(scrubber)
  elsif allowed_tags(options) || allowed_attributes(options)
    @permit_scrubber.tags = allowed_tags(options)
    @permit_scrubber.attributes = allowed_attributes(options)
    loofah_fragment.scrub!(@permit_scrubber)
  else
    remove_xpaths(loofah_fragment, XPATHS_TO_REMOVE)
    loofah_fragment.scrub!(:strip)
  end
  properly_encode(loofah_fragment, encoding: 'UTF-8')
end

def sanitize_css(style_string)

def sanitize_css(style_string)
  Loofah::HTML5::Scrub.scrub_css(style_string)
end

Namespace

Rails::Html

Parent class

Rails::Html::Sanitizer

Instance Methods

Defined in

lib/rails/html/sanitizer.rb

Modules

Classes