Module: ActionView::Helpers::SanitizeHelper
Relationships & Source Files | |
Extension / Inclusion / Inheritance Descendants | |
Included In:
::ActionDispatch::DebugExceptions::DebugView ,
::ActionView::Base ,
::ActionView::Helpers ,
FormHelper ,
FormOptionsHelper ,
FormTagHelper ,
ActionView::Helpers::Tags::Base,
ActionView::Helpers::Tags::CheckBox,
ActionView::Helpers::Tags::CollectionCheckBoxes,
ActionView::Helpers::Tags::CollectionRadioButtons,
ActionView::Helpers::Tags::CollectionSelect,
ActionView::Helpers::Tags::ColorField,
ActionView::Helpers::Tags::DateField,
ActionView::Helpers::Tags::DateSelect,
ActionView::Helpers::Tags::DatetimeField,
ActionView::Helpers::Tags::DatetimeLocalField,
ActionView::Helpers::Tags::DatetimeSelect,
ActionView::Helpers::Tags::EmailField,
ActionView::Helpers::Tags::FileField,
ActionView::Helpers::Tags::GroupedCollectionSelect,
ActionView::Helpers::Tags::HiddenField,
ActionView::Helpers::Tags::Label,
ActionView::Helpers::Tags::MonthField,
ActionView::Helpers::Tags::NumberField,
ActionView::Helpers::Tags::PasswordField,
ActionView::Helpers::Tags::RadioButton,
ActionView::Helpers::Tags::RangeField,
ActionView::Helpers::Tags::SearchField,
ActionView::Helpers::Tags::Select,
ActionView::Helpers::Tags::TelField,
ActionView::Helpers::Tags::TextArea,
ActionView::Helpers::Tags::TextField,
ActionView::Helpers::Tags::TimeField,
ActionView::Helpers::Tags::TimeSelect,
ActionView::Helpers::Tags::TimeZoneSelect,
ActionView::Helpers::Tags::UrlField,
ActionView::Helpers::Tags::WeekField,
TextHelper ,
::ActionView::TestCase ,
::ActionView::TestCase::Behavior
| |
Super Chains via Extension / Inclusion / Inheritance | |
Class Chain:
self,
::ActiveSupport::Concern
|
|
Defined in: | actionview/lib/action_view/helpers/sanitize_helper.rb |
Overview
The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend Action View making them callable within your template files.
Class Method Summary
::ActiveSupport::Concern
- Extended
Instance Method Summary
-
#sanitize(html, options = {})
Sanitizes HTML input, stripping all tags and attributes that aren’t whitelisted.
-
#sanitize_css(style)
Sanitizes a block of CSS code.
-
#strip_links(html)
Strips all link tags from
html
leaving just the link text. -
#strip_tags(html)
Strips all HTML tags from
html
, including comments and special characters.
Instance Method Details
#sanitize(html, options = {})
Sanitizes HTML input, stripping all tags and attributes that aren’t whitelisted.
It also strips href/src attributes with unsafe protocols like javascript:
, while also protecting against attempts to use Unicode, ASCII, and hex character references to work around these protocol filters. All special characters will be escaped.
The default sanitizer is Rails::Html::WhiteListSanitizer}. See HTML Sanitizers for more information.
Custom sanitization rules can also be provided.
Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid or even well-formed.
Options
-
:tags
- An array of allowed tags. -
:attributes
- An array of allowed attributes. -
:scrubber
- A {github.com/rails/rails-html-sanitizer {Rails::Html scrubber} or Loofah::Scrubber object that defines custom sanitization rules. A custom scrubber takes precedence over custom tags and attributes.
Examples
Normal use:
<%= sanitize @comment.body %>
Providing custom whitelisted tags and attributes:
<%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
Providing a custom Rails::Html
scrubber:
class CommentScrubber < Rails::Html::PermitScrubber
def initialize
super
self.tags = %w( form script comment blockquote )
self.attributes = %w( style )
end
def skip_node?(node)
node.text?
end
end
<%= sanitize @comment.body, scrubber: CommentScrubber.new %>
See {Rails HTML Sanitizer} for documentation about Rails::Html
scrubbers.
Providing a custom Loofah::Scrubber
:
scrubber = Loofah::Scrubber.new do |node|
node.remove if node.name == 'script'
end
<%= sanitize @comment.body, scrubber: scrubber %>
See Loofah’s documentation for more information about defining custom Loofah::Scrubber
objects.
To set the default allowed tags or attributes across your application:
# In config/application.rb
config.action_view. = ['strong', 'em', 'a']
config.action_view.sanitized_allowed_attributes = ['href', 'title']
# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 82
def sanitize(html, = {}) self.class.white_list_sanitizer.sanitize(html, ).try(:html_safe) end
#sanitize_css(style)
Sanitizes a block of CSS code. Used by #sanitize when it comes across a style attribute.
# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 87
def sanitize_css(style) self.class.white_list_sanitizer.sanitize_css(style) end
#strip_links(html)
Strips all link tags from html
leaving just the link text.
strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
# => Ruby on Rails
strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.')
# => Please e-mail me at me@email.com.
strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
# => Blog: Visit.
strip_links('<<a href="https://example.org">malformed & link</a>')
# => <malformed & link
# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 121
def strip_links(html) self.class.link_sanitizer.sanitize(html) end
#strip_tags(html)
Strips all HTML tags from html
, including comments and special characters.
"Strip <i>these</i> tags!")
# => Strip these tags!
("<b>Bold</b> no more! <a href='more.html'>See more here</a>...")
# => Bold no more! See more here...
("<div id='top-bar'>Welcome to my website!</div>")
# => Welcome to my website!
("> A quote from Smith & Wesson")
# => > A quote from Smith & Wesson
(
# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 104
def (html) self.class.full_sanitizer.sanitize(html) end