1 require 'action_view/helpers/tag_helper'
4 require 'html/document'
6 html_scanner_path
= "#{File.dirname(__FILE__)}/../../action_controller/vendor/html-scanner"
7 if File
.directory
?(html_scanner_path
)
8 $
:.unshift html_scanner_path
9 require 'html/document'
14 module Helpers
#:nodoc:
15 # The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
16 # These helper methods extend ActionView making them callable within your template files.
18 # This +sanitize+ helper will html encode all tags and strip all attributes that aren't specifically allowed.
19 # It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any
20 # tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out
21 # the extensive test suite.
23 # <%= sanitize @article.body %>
25 # You can add or remove tags/attributes if you want to customize it a bit. See ActionView::Base for full docs on the
26 # available options. You can add tags/attributes for single uses of +sanitize+ by passing either the <tt>:attributes</tt> or <tt>:tags</tt> options:
30 # <%= sanitize @article.body %>
32 # Custom Use (only the mentioned tags and attributes are allowed, nothing else)
34 # <%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style)
36 # Add table tags to the default allowed tags
38 # Rails::Initializer.run do |config|
39 # config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
42 # Remove tags to the default allowed tags
44 # Rails::Initializer.run do |config|
45 # config.after_initialize do
46 # ActionView::Base.sanitized_allowed_tags.delete 'div'
50 # Change allowed default attributes
52 # Rails::Initializer.run do |config|
53 # config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
56 # Please note that sanitizing user-provided text does not guarantee that the
57 # resulting markup is valid (conforming to a document type) or even well-formed.
58 # The output may still contain e.g. unescaped '<', '>', '&' characters and
61 def sanitize(html
, options
= {})
62 self.class.white_list_sanitizer
.sanitize(html
, options
)
65 # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
66 def sanitize_css(style
)
67 self.class.white_list_sanitizer
.sanitize_css(style
)
70 # Strips all HTML tags from the +html+, including comments. This uses the
71 # html-scanner tokenizer and so its HTML parsing ability is limited by
72 # that of html-scanner.
76 # strip_tags("Strip <i>these</i> tags!")
77 # # => Strip these tags!
79 # strip_tags("<b>Bold</b> no more! <a href='more.html'>See more here</a>...")
80 # # => Bold no more! See more here...
82 # strip_tags("<div id='top-bar'>Welcome to my website!</div>")
83 # # => Welcome to my website!
85 self.class.full_sanitizer
.sanitize(html
)
88 # Strips all link tags from +text+ leaving just the link text.
91 # strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
94 # strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.')
95 # # => Please e-mail me at me@email.com.
97 # strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
100 self.class.link_sanitizer
.sanitize(html
)
103 module ClassMethods
#:nodoc:
104 attr_writer
:full_sanitizer, :link_sanitizer, :white_list_sanitizer
106 def sanitized_protocol_separator
107 white_list_sanitizer
.protocol_separator
110 def sanitized_uri_attributes
111 white_list_sanitizer
.uri_attributes
114 def sanitized_bad_tags
115 white_list_sanitizer
.bad_tags
118 def sanitized_allowed_tags
119 white_list_sanitizer
.allowed_tags
122 def sanitized_allowed_attributes
123 white_list_sanitizer
.allowed_attributes
126 def sanitized_allowed_css_properties
127 white_list_sanitizer
.allowed_css_properties
130 def sanitized_allowed_css_keywords
131 white_list_sanitizer
.allowed_css_keywords
134 def sanitized_shorthand_css_properties
135 white_list_sanitizer
.shorthand_css_properties
138 def sanitized_allowed_protocols
139 white_list_sanitizer
.allowed_protocols
142 def sanitized_protocol_separator
=(value
)
143 white_list_sanitizer
.protocol_separator
= value
146 # Gets the HTML::FullSanitizer instance used by +strip_tags+. Replace with
147 # any object that responds to +sanitize+.
149 # Rails::Initializer.run do |config|
150 # config.action_view.full_sanitizer = MySpecialSanitizer.new
154 @full_sanitizer ||= HTML
::FullSanitizer.new
157 # Gets the HTML::LinkSanitizer instance used by +strip_links+. Replace with
158 # any object that responds to +sanitize+.
160 # Rails::Initializer.run do |config|
161 # config.action_view.link_sanitizer = MySpecialSanitizer.new
165 @link_sanitizer ||= HTML
::LinkSanitizer.new
168 # Gets the HTML::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
169 # Replace with any object that responds to +sanitize+.
171 # Rails::Initializer.run do |config|
172 # config.action_view.white_list_sanitizer = MySpecialSanitizer.new
175 def white_list_sanitizer
176 @white_list_sanitizer ||= HTML
::WhiteListSanitizer.new
179 # Adds valid HTML attributes that the +sanitize+ helper checks for URIs.
181 # Rails::Initializer.run do |config|
182 # config.action_view.sanitized_uri_attributes = 'lowsrc', 'target'
185 def sanitized_uri_attributes
=(attributes
)
186 HTML
::WhiteListSanitizer.uri_attributes
.merge(attributes
)
189 # Adds to the Set of 'bad' tags for the +sanitize+ helper.
191 # Rails::Initializer.run do |config|
192 # config.action_view.sanitized_bad_tags = 'embed', 'object'
195 def sanitized_bad_tags
=(attributes
)
196 HTML
::WhiteListSanitizer.bad_tags
.merge(attributes
)
199 # Adds to the Set of allowed tags for the +sanitize+ helper.
201 # Rails::Initializer.run do |config|
202 # config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
205 def sanitized_allowed_tags
=(attributes
)
206 HTML
::WhiteListSanitizer.allowed_tags
.merge(attributes
)
209 # Adds to the Set of allowed HTML attributes for the +sanitize+ helper.
211 # Rails::Initializer.run do |config|
212 # config.action_view.sanitized_allowed_attributes = 'onclick', 'longdesc'
215 def sanitized_allowed_attributes
=(attributes
)
216 HTML
::WhiteListSanitizer.allowed_attributes
.merge(attributes
)
219 # Adds to the Set of allowed CSS properties for the #sanitize and +sanitize_css+ helpers.
221 # Rails::Initializer.run do |config|
222 # config.action_view.sanitized_allowed_css_properties = 'expression'
225 def sanitized_allowed_css_properties
=(attributes
)
226 HTML
::WhiteListSanitizer.allowed_css_properties
.merge(attributes
)
229 # Adds to the Set of allowed CSS keywords for the +sanitize+ and +sanitize_css+ helpers.
231 # Rails::Initializer.run do |config|
232 # config.action_view.sanitized_allowed_css_keywords = 'expression'
235 def sanitized_allowed_css_keywords
=(attributes
)
236 HTML
::WhiteListSanitizer.allowed_css_keywords
.merge(attributes
)
239 # Adds to the Set of allowed shorthand CSS properties for the +sanitize+ and +sanitize_css+ helpers.
241 # Rails::Initializer.run do |config|
242 # config.action_view.sanitized_shorthand_css_properties = 'expression'
245 def sanitized_shorthand_css_properties
=(attributes
)
246 HTML
::WhiteListSanitizer.shorthand_css_properties
.merge(attributes
)
249 # Adds to the Set of allowed protocols for the +sanitize+ helper.
251 # Rails::Initializer.run do |config|
252 # config.action_view.sanitized_allowed_protocols = 'ssh', 'feed'
255 def sanitized_allowed_protocols
=(attributes
)
256 HTML
::WhiteListSanitizer.allowed_protocols
.merge(attributes
)
projects / depot.git / blob