sanitize(html, options = {}) public

Sanitizes HTML input, stripping all but known-safe tags and attributes.

It also strips href/src attributes with unsafe protocols like javascript:, while also protecting against attempts to use Unicode, ASCII, and hex character references to work around these protocol filters. All special characters will be escaped.

The default sanitizer is Rails::Html::SafeListSanitizer. See Rails HTML Sanitizers for more information.

Custom sanitization rules can also be provided.

Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid or even well-formed.


  • :tags - An array of allowed tags.

  • :attributes - An array of allowed attributes.

  • :scrubber - A Rails::Html scrubber or Loofah::Scrubber object that defines custom sanitization rules. A custom scrubber takes precedence over custom tags and attributes.


Normal use:

<%= sanitize @comment.body %>

Providing custom lists of permitted tags and attributes:

<%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>

Providing a custom Rails::Html scrubber:

class CommentScrubber < Rails::Html::PermitScrubber
  def initialize
    self.tags = %w( form script comment blockquote )
    self.attributes = %w( style )

  def skip_node?(node)

<%= sanitize @comment.body, scrubber: %>

See Rails HTML Sanitizer for documentation about Rails::Html scrubbers.

Providing a custom Loofah::Scrubber:

scrubber = do |node|
  node.remove if == 'script'

<%= sanitize @comment.body, scrubber: scrubber %>

See Loofah’s documentation for more information about defining custom Loofah::Scrubber objects.

To set the default allowed tags or attributes across your application:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
config.action_view.sanitized_allowed_attributes = ['href', 'title']
Show source
Register or log in to add new notes.
January 6, 2009
5 thanks

Default allowed tags and attributes

I found it a bit hard to find the default tags and attributes in the docs.

As of Rails 2.2.2 they are:


del, dd, h3, address, big, sub, tt, a, ul, h4, cite, dfn, h5, small, kbd, code,
b, ins, img, h6, sup, pre, strong, blockquote, acronym, dt, br, p, div, samp,
li, ol, var, em, h1, i, abbr, h2, span, hr


name, href, cite, class, title, src, xml:lang, height, datetime, alt, abbr, width

Getting the latest list

You can query for this list yourself with the following code on the console:

>> puts helper.sanitized_allowed_tags.to_a * ", "
... will output tag list ...
>> puts helper.sanitized_allowed_attributes.to_a * ", "
... will output attribute list ...

The same principal can probably be applied to sanitize_css.

April 21, 2009
3 thanks

sanitize method not functioning in controllers, models, or libs

It comes up with an error about white_list_sanitizer undefined in the class you’re using it in. To get around this, use:


To shorten this, add something like this in an initializer:

class String
  def sanitize

then call it with:

July 18, 2009
2 thanks

Sanitize in controllers, models, or libs -- *with* options

A Follow-up to k776’s note. If you want to specify tags or attributes, you should change your initializer to:

class String
  def sanitize(options={})
    ActionController::Base.helpers.sanitize(self, options)

Then you can call it from any string like so:

'string'.sanitize(:tags => %w(table td tr), :attributes => %w(style id))
January 6, 2009
1 thank

Replace allowed tags/attributes

The docs above state how to add and remove tags from the default list. But what if you just want to replace the entire list with a list of your own? You can easily do that with the following code:

ActionView::Base.sanitized_allowed_tags.replace %w(strong em b i hr br ul ol li blockquote)
ActionView::Base.sanitized_allowed_attributes.replace %w(href)

Note that if you put this in your initialization block you must use the config.after_initialize hack (to override the default that will be set) but if you put it in an initializer (i.e. a file in the initializers directory) that code is executed after Rails initialization so no need to use any hack. Just use the code above.