123456789_123456789_123456789_123456789_123456789_

Module: ActionView::Helpers::SanitizeHelper

Relationships & Source Files
Extension / Inclusion / Inheritance Descendants
Included In:
ActionDispatch::DebugView, ::ActionView::Base, ::ActionView::Helpers, FormHelper, FormOptionsHelper, FormTagHelper, ActionView::Helpers::Tags::Base, ActionView::Helpers::Tags::CheckBox, ActionView::Helpers::Tags::CollectionCheckBoxes, ActionView::Helpers::Tags::CollectionRadioButtons, ActionView::Helpers::Tags::CollectionSelect, ActionView::Helpers::Tags::ColorField, ActionView::Helpers::Tags::DateField, ActionView::Helpers::Tags::DateSelect, ActionView::Helpers::Tags::DatetimeField, ActionView::Helpers::Tags::DatetimeLocalField, ActionView::Helpers::Tags::DatetimeSelect, ActionView::Helpers::Tags::EmailField, ActionView::Helpers::Tags::FileField, ActionView::Helpers::Tags::GroupedCollectionSelect, ActionView::Helpers::Tags::HiddenField, ActionView::Helpers::Tags::Label, ActionView::Helpers::Tags::MonthField, ActionView::Helpers::Tags::NumberField, ActionView::Helpers::Tags::PasswordField, ActionView::Helpers::Tags::RadioButton, ActionView::Helpers::Tags::RangeField, ActionView::Helpers::Tags::SearchField, ActionView::Helpers::Tags::Select, ActionView::Helpers::Tags::TelField, ActionView::Helpers::Tags::TextArea, ActionView::Helpers::Tags::TextField, ActionView::Helpers::Tags::TimeField, ActionView::Helpers::Tags::TimeSelect, ActionView::Helpers::Tags::TimeZoneSelect, ActionView::Helpers::Tags::UrlField, ActionView::Helpers::Tags::WeekField, TextHelper, ::ActionView::TestCase, ::ActionView::TestCase::Behavior
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, ::ActiveSupport::Concern
Defined in: actionview/lib/action_view/helpers/sanitize_helper.rb

Overview

The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend Action View making them callable within your template files.

Class Method Summary

::ActiveSupport::Concern - Extended

class_methods

Define class methods from given block.
included

Evaluate given block in context of base class, so that you can write class macros here.
prepended

Evaluate given block in context of base class, so that you can write class macros here.

Instance Method Summary

Instance Method Details

#sanitize(html, options = {})

Sanitizes HTML input, stripping all but known-safe tags and attributes.

It also strips href/src attributes with unsafe protocols like javascript:, while also protecting against attempts to use Unicode, ASCII, and hex character references to work around these protocol filters. All special characters will be escaped.

The default sanitizer is Rails::Html::SafeListSanitizer. See Rails HTML Sanitizers for more information.

Custom sanitization rules can also be provided.

Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid or even well-formed.

Options

  • :tags - An array of allowed tags.

  • :attributes - An array of allowed attributes.

  • :scrubber - A {Rails::Html scrubber} or Loofah::Scrubber object that defines custom sanitization rules. A custom scrubber takes precedence over custom tags and attributes.

Examples

Normal use:

<%= sanitize @comment.body %>

Providing custom lists of permitted tags and attributes:

<%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>

Providing a custom Rails::Html scrubber:

class CommentScrubber < Rails::Html::PermitScrubber
  def initialize
    super
    self.tags = %w( form script comment blockquote )
    self.attributes = %w( style )
  end

  def skip_node?(node)
    node.text?
  end
end

<%= sanitize @comment.body, scrubber: CommentScrubber.new %>

See {Rails HTML Sanitizer} for documentation about Rails::Html scrubbers.

Providing a custom Loofah::Scrubber:

scrubber = Loofah::Scrubber.new do |node|
  node.remove if node.name == 'script'
end

<%= sanitize @comment.body, scrubber: scrubber %>

See Loofah’s documentation for more information about defining custom Loofah::Scrubber objects.

To set the default allowed tags or attributes across your application:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
config.action_view.sanitized_allowed_attributes = ['href', 'title']
[ GitHub ] 

  


# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 81



def sanitize(html, options = {})
  self.class.safe_list_sanitizer.sanitize(html, options)&.html_safe
end


  








  

    #sanitize_css(style)  
  



  

    

Sanitizes a block of CSS code. Used by #sanitize when it comes across a style attribute.


  



  [ GitHub ]


  

  


# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 86



def sanitize_css(style)
  self.class.safe_list_sanitizer.sanitize_css(style)
end


  










  

    #strip_tags(html)  
  



  

    

Strips all HTML tags from html, including comments and special characters.



strip_tags("Strip <i>these</i> tags!")
# => Strip these tags!

strip_tags("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
# => Bold no more!  See more here...

strip_tags("<div id='top-bar'>Welcome to my website!</div>")
# => Welcome to my website!

strip_tags("> A quote from Smith & Wesson")
# => &gt; A quote from Smith &amp; Wesson


  



  [ GitHub ]


  

  


# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 103



def strip_tags(html)
  self.class.full_sanitizer.sanitize(html)
end