Module: ActionView::Helpers::SanitizeHelper
Overview
Action View Sanitize Helpers
The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend Action View making them callable within your template files.
Class Attribute Summary
- .sanitizer_vendor (also: #sanitizer_vendor) rw
Class Method Summary
::ActiveSupport::Concern
- Extended
class_methods | Define class methods from given block. |
included | Evaluate given block in context of base class, so that you can write class macros here. |
prepended | Evaluate given block in context of base class, so that you can write class macros here. |
append_features, prepend_features |
Instance Attribute Summary
Instance Method Summary
-
#sanitize(html, options = {})
Sanitizes HTML input, stripping all but known-safe tags and attributes.
-
#sanitize_css(style)
Sanitizes a block of CSS code.
-
#strip_links(html)
Strips all link tags from
html
leaving just the link text. -
#strip_tags(html)
Strips all HTML tags from
html
, including comments and special characters.
Class Attribute Details
.sanitizer_vendor (rw) Also known as: #sanitizer_vendor
[ GitHub ]# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 12
mattr_accessor :sanitizer_vendor, default: Rails::HTML4::Sanitizer
Instance Attribute Details
#sanitizer_vendor (rw)
[ GitHub ]# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 12
mattr_accessor :sanitizer_vendor, default: Rails::HTML4::Sanitizer
Instance Method Details
#sanitize(html, options = {})
Sanitizes HTML input, stripping all but known-safe tags and attributes.
It also strips href
/ src
attributes with unsafe protocols like javascript:
, while also protecting against attempts to use Unicode, ASCII, and hex character references to work around these protocol filters.
The default sanitizer is Rails::HTML5::SafeListSanitizer
. See Rails HTML Sanitizers for more information.
Custom sanitization rules can also be provided.
Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid or even well-formed.
Options
:tags
-
An array of allowed tags.
:attributes
-
An array of allowed attributes.
:scrubber
-
A Rails::HTML scrubber or Loofah::Scrubber object that defines custom sanitization rules. A custom scrubber takes precedence over custom tags and attributes.
Examples
Normal use
<%= sanitize @comment.body %>
Providing custom lists of permitted tags and attributes
<%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
Providing a custom Rails::HTML
scrubber
class CommentScrubber < Rails::HTML::PermitScrubber
def initialize
super
self. = %w( form script comment blockquote )
self.attributes = %w( style )
end
def skip_node?(node)
node.text?
end
end
<%= sanitize @comment.body, scrubber: CommentScrubber.new %>
See {Rails HTML Sanitizer} for documentation about Rails::HTML
scrubbers.
Providing a custom Loofah::Scrubber
scrubber = Loofah::Scrubber.new do |node|
node.remove if node.name == 'script'
end
<%= sanitize @comment.body, scrubber: scrubber %>
See Loofah’s documentation for more information about defining custom Loofah::Scrubber
objects.
Global Configuration
To set the default allowed tags or attributes across your application:
# In config/application.rb
config.action_view. = ['strong', 'em', 'a']
config.action_view.sanitized_allowed_attributes = ['href', 'title']
The default, starting in Rails 7.1, is to use an HTML5 parser for sanitization (if it is available, see NOTE below). If you wish to revert back to the previous HTML4 behavior, you can do so by setting the following in your application configuration:
# In config/application.rb
config.action_view.sanitizer_vendor = Rails::HTML4::Sanitizer
Or, if you’re upgrading from a previous version of Rails and wish to opt into the HTML5 behavior:
# In config/application.rb
config.action_view.sanitizer_vendor = Rails::HTML5::Sanitizer
NOTE: Rails::HTML5::Sanitizer
is not supported on JRuby, so on JRuby platforms Rails will fall back to using Rails::HTML4::Sanitizer
.
# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 111
def sanitize(html, = {}) self.class.safe_list_sanitizer.sanitize(html, )&.html_safe end
#sanitize_css(style)
Sanitizes a block of CSS code. Used by #sanitize when it comes across a style attribute.
# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 116
def sanitize_css(style) self.class.safe_list_sanitizer.sanitize_css(style) end
#strip_links(html)
Strips all link tags from html
leaving just the link text.
strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
# => Ruby on Rails
strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.')
# => Please e-mail me at me@email.com.
strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
# => Blog: Visit.
strip_links('<<a href="https://example.org">malformed & link</a>')
# => <malformed & link
# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 150
def strip_links(html) self.class.link_sanitizer.sanitize(html) end
#strip_tags(html)
Strips all HTML tags from html
, including comments and special characters.
"Strip <i>these</i> tags!")
# => Strip these tags!
("<b>Bold</b> no more! <a href='more.html'>See more here</a>...")
# => Bold no more! See more here...
("<div id='top-bar'>Welcome to my website!</div>")
# => Welcome to my website!
("> A quote from Smith & Wesson")
# => > A quote from Smith & Wesson
(
# File 'actionview/lib/action_view/helpers/sanitize_helper.rb', line 133
def (html) self.class.full_sanitizer.sanitize(html)&.html_safe end