1 require 'action_view/helpers/tag_helper'
4 module Helpers
#:nodoc:
5 # The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
6 # These helper methods extend ActionView making them callable within your template files.
8 # This +sanitize+ helper will html encode all tags and strip all attributes that aren't specifically allowed.
9 # It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any
10 # tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out
11 # the extensive test suite.
13 # <%= sanitize @article.body %>
15 # You can add or remove tags/attributes if you want to customize it a bit. See ActionView::Base for full docs on the
16 # available options. You can add tags/attributes for single uses of +sanitize+ by passing either the <tt>:attributes</tt> or <tt>:tags</tt> options:
20 # <%= sanitize @article.body %>
22 # Custom Use (only the mentioned tags and attributes are allowed, nothing else)
24 # <%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style)
26 # Add table tags to the default allowed tags
28 # Rails::Initializer.run do |config|
29 # config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
32 # Remove tags to the default allowed tags
34 # Rails::Initializer.run do |config|
35 # config.after_initialize do
36 # ActionView::Base.sanitized_allowed_tags.delete 'div'
40 # Change allowed default attributes
42 # Rails::Initializer.run do |config|
43 # config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
46 # Please note that sanitizing user-provided text does not guarantee that the
47 # resulting markup is valid (conforming to a document type) or even well-formed.
48 # The output may still contain e.g. unescaped '<', '>', '&' characters and
51 def sanitize(html
, options
= {})
52 self.class.white_list_sanitizer
.sanitize(html
, options
)
55 # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
56 def sanitize_css(style
)
57 self.class.white_list_sanitizer
.sanitize_css(style
)
60 # Strips all HTML tags from the +html+, including comments. This uses the
61 # html-scanner tokenizer and so its HTML parsing ability is limited by
62 # that of html-scanner.
66 # strip_tags("Strip <i>these</i> tags!")
67 # # => Strip these tags!
69 # strip_tags("<b>Bold</b> no more! <a href='more.html'>See more here</a>...")
70 # # => Bold no more! See more here...
72 # strip_tags("<div id='top-bar'>Welcome to my website!</div>")
73 # # => Welcome to my website!
75 self.class.full_sanitizer
.sanitize(html
)
78 # Strips all link tags from +text+ leaving just the link text.
81 # strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
84 # strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.')
85 # # => Please e-mail me at me@email.com.
87 # strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
90 self.class.link_sanitizer
.sanitize(html
)
93 module ClassMethods
#:nodoc:
94 attr_writer
:full_sanitizer, :link_sanitizer, :white_list_sanitizer
96 def sanitized_protocol_separator
97 white_list_sanitizer
.protocol_separator
100 def sanitized_uri_attributes
101 white_list_sanitizer
.uri_attributes
104 def sanitized_bad_tags
105 white_list_sanitizer
.bad_tags
108 def sanitized_allowed_tags
109 white_list_sanitizer
.allowed_tags
112 def sanitized_allowed_attributes
113 white_list_sanitizer
.allowed_attributes
116 def sanitized_allowed_css_properties
117 white_list_sanitizer
.allowed_css_properties
120 def sanitized_allowed_css_keywords
121 white_list_sanitizer
.allowed_css_keywords
124 def sanitized_shorthand_css_properties
125 white_list_sanitizer
.shorthand_css_properties
128 def sanitized_allowed_protocols
129 white_list_sanitizer
.allowed_protocols
132 def sanitized_protocol_separator
=(value
)
133 white_list_sanitizer
.protocol_separator
= value
136 # Gets the HTML::FullSanitizer instance used by +strip_tags+. Replace with
137 # any object that responds to +sanitize+.
139 # Rails::Initializer.run do |config|
140 # config.action_view.full_sanitizer = MySpecialSanitizer.new
144 @full_sanitizer ||= HTML
::FullSanitizer.new
147 # Gets the HTML::LinkSanitizer instance used by +strip_links+. Replace with
148 # any object that responds to +sanitize+.
150 # Rails::Initializer.run do |config|
151 # config.action_view.link_sanitizer = MySpecialSanitizer.new
155 @link_sanitizer ||= HTML
::LinkSanitizer.new
158 # Gets the HTML::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
159 # Replace with any object that responds to +sanitize+.
161 # Rails::Initializer.run do |config|
162 # config.action_view.white_list_sanitizer = MySpecialSanitizer.new
165 def white_list_sanitizer
166 @white_list_sanitizer ||= HTML
::WhiteListSanitizer.new
169 # Adds valid HTML attributes that the +sanitize+ helper checks for URIs.
171 # Rails::Initializer.run do |config|
172 # config.action_view.sanitized_uri_attributes = 'lowsrc', 'target'
175 def sanitized_uri_attributes
=(attributes
)
176 HTML
::WhiteListSanitizer.uri_attributes
.merge(attributes
)
179 # Adds to the Set of 'bad' tags for the +sanitize+ helper.
181 # Rails::Initializer.run do |config|
182 # config.action_view.sanitized_bad_tags = 'embed', 'object'
185 def sanitized_bad_tags
=(attributes
)
186 HTML
::WhiteListSanitizer.bad_tags
.merge(attributes
)
189 # Adds to the Set of allowed tags for the +sanitize+ helper.
191 # Rails::Initializer.run do |config|
192 # config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
195 def sanitized_allowed_tags
=(attributes
)
196 HTML
::WhiteListSanitizer.allowed_tags
.merge(attributes
)
199 # Adds to the Set of allowed HTML attributes for the +sanitize+ helper.
201 # Rails::Initializer.run do |config|
202 # config.action_view.sanitized_allowed_attributes = 'onclick', 'longdesc'
205 def sanitized_allowed_attributes
=(attributes
)
206 HTML
::WhiteListSanitizer.allowed_attributes
.merge(attributes
)
209 # Adds to the Set of allowed CSS properties for the #sanitize and +sanitize_css+ helpers.
211 # Rails::Initializer.run do |config|
212 # config.action_view.sanitized_allowed_css_properties = 'expression'
215 def sanitized_allowed_css_properties
=(attributes
)
216 HTML
::WhiteListSanitizer.allowed_css_properties
.merge(attributes
)
219 # Adds to the Set of allowed CSS keywords for the +sanitize+ and +sanitize_css+ helpers.
221 # Rails::Initializer.run do |config|
222 # config.action_view.sanitized_allowed_css_keywords = 'expression'
225 def sanitized_allowed_css_keywords
=(attributes
)
226 HTML
::WhiteListSanitizer.allowed_css_keywords
.merge(attributes
)
229 # Adds to the Set of allowed shorthand CSS properties for the +sanitize+ and +sanitize_css+ helpers.
231 # Rails::Initializer.run do |config|
232 # config.action_view.sanitized_shorthand_css_properties = 'expression'
235 def sanitized_shorthand_css_properties
=(attributes
)
236 HTML
::WhiteListSanitizer.shorthand_css_properties
.merge(attributes
)
239 # Adds to the Set of allowed protocols for the +sanitize+ helper.
241 # Rails::Initializer.run do |config|
242 # config.action_view.sanitized_allowed_protocols = 'ssh', 'feed'
245 def sanitized_allowed_protocols
=(attributes
)
246 HTML
::WhiteListSanitizer.allowed_protocols
.merge(attributes
)