method

sanitize

v1.2.6 - Show latest stable - Class: ActionView::Helpers::TextHelper

sanitize(html)

public

Sanitizes the html by converting <form> and <script> tags into regular text, and removing all "onxxx" attributes (so that arbitrary Javascript cannot be executed). It also removes href= and src= attributes that start with "javascript:". You can modify what gets sanitized by defining VERBOTEN_TAGS and VERBOTEN_ATTRS before this Module is loaded.

  sanitize('<script> do_nasty_stuff() </script>')
   => &lt;script> do_nasty_stuff() &lt;/script>
  sanitize('<a href="javascript: sucker();">Click here for $100</a>')
   => <a>Click here for $100</a>

# File actionpack/lib/action_view/helpers/text_helper.rb, line 221
      def sanitize(html)
        # only do this if absolutely necessary
        if html.index("<")
          tokenizer = HTML::Tokenizer.new(html)
          new_text = ""

          while token = tokenizer.next
            node = HTML::Node.parse(nil, 0, 0, token, false)
            new_text << case node
              when HTML::Tag
                if VERBOTEN_TAGS.include?(node.name)
                  node.to_s.gsub(/</, "&lt;")
                else
                  if node.closing != :close
                    node.attributes.delete_if { |attr,v| attr =~ VERBOTEN_ATTRS }
                    %w(href src).each do |attr|
                      node.attributes.delete attr if node.attributes[attr] =~ /^javascript:/i
                    end
                  end
                  node.to_s
                end
              else
                node.to_s.gsub(/</, "&lt;")
            end
          end

          html = new_text
        end

        html
      end

sanitize

Related methods