This method is deprecated or moved on the latest stable version.
The last existing version (v1.2.6) is shown here.
sanitize(html)
public
Sanitizes the html by converting <form> and <script>
tags into regular text, and removing all "onxxx" attributes (so
that arbitrary Javascript cannot be executed). It also removes href= and
src= attributes that start with "javascript:". You can modify
what gets sanitized by defining VERBOTEN_TAGS and VERBOTEN_ATTRS before
this Module is loaded.
sanitize('<script> do_nasty_stuff() </script>')=><script>do_nasty_stuff()</script>
sanitize('<a href="javascript: sucker();">Click here for $100</a>')
=> <a>Click here for $100</a>
# File actionpack/lib/action_view/helpers/text_helper.rb, line 221
def sanitize(html)
# only do this if absolutely necessary
if html.index("<")
tokenizer = HTML::Tokenizer.new(html)
new_text = ""
while token = tokenizer.next
node = HTML::Node.parse(nil, 0, 0, token, false)
new_text << case node
when HTML::Tag
if VERBOTEN_TAGS.include?(node.name)
node.to_s.gsub(/</, "<")
else
if node.closing != :close
node.attributes.delete_if { |attr,v| attr =~ VERBOTEN_ATTRS }
%w(href src).each do |attr|
node.attributes.delete attr if node.attributes[attr] =~ /^javascript:/i
end
end
node.to_s
end
else
node.to_s.gsub(/</, "<")
end
end
html = new_text
end
html
end
