sanitize
sanitize(html, options = {})
public
This sanitize helper will html encode all tags and strip all attributes that aren’t specifically allowed.
It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out the extensive test suite.
<%= sanitize @article.body %>
You can add or remove tags/attributes if you want to customize it a bit. See ActionView::Base for full docs on the available options. You can add tags/attributes for single uses of sanitize by passing either the :attributes or :tags options:
Normal Use
<%= sanitize @article.body %>
Custom Use (only the mentioned tags and attributes are allowed, nothing else)
<%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style) %>
Add table tags to the default allowed tags
class Application < Rails::Application config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td' end
Remove tags to the default allowed tags
class Application < Rails::Application config.after_initialize do ActionView::Base.sanitized_allowed_tags.delete 'div' end end
Change allowed default attributes
class Application < Rails::Application config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style' end
Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped ‘<’, ‘>’, ‘&’ characters and confuse browsers.
Default allowed tags and attributes
I found it a bit hard to find the default tags and attributes in the docs.
As of Rails 2.2.2 they are:
Tags
del, dd, h3, address, big, sub, tt, a, ul, h4, cite, dfn, h5, small, kbd, code, b, ins, img, h6, sup, pre, strong, blockquote, acronym, dt, br, p, div, samp, li, ol, var, em, h1, i, abbr, h2, span, hr
Attributes
name, href, cite, class, title, src, xml:lang, height, datetime, alt, abbr, width
Getting the latest list
You can query for this list yourself with the following code on the console:
>> puts helper.sanitized_allowed_tags.to_a * ", " ... will output tag list ... >> puts helper.sanitized_allowed_attributes.to_a * ", " ... will output attribute list ...
The same principal can probably be applied to sanitize_css.
sanitize method not functioning in controllers, models, or libs
It comes up with an error about white_list_sanitizer undefined in the class you’re using it in. To get around this, use:
ActionController::Base.helpers.sanitize('string')
To shorten this, add something like this in an initializer:
class String def sanitize ActionController::Base.helpers.sanitize(self) end end
then call it with:
'string'.sanitize
Sanitize in controllers, models, or libs -- *with* options
A Follow-up to k776’s note. If you want to specify tags or attributes, you should change your initializer to:
class String def sanitize(options={}) ActionController::Base.helpers.sanitize(self, options) end end
Then you can call it from any string like so:
'string'.sanitize(:tags => %w(table td tr), :attributes => %w(style id))
Replace allowed tags/attributes
The docs above state how to add and remove tags from the default list. But what if you just want to replace the entire list with a list of your own? You can easily do that with the following code:
ActionView::Base.sanitized_allowed_tags.replace %w(strong em b i hr br ul ol li blockquote) ActionView::Base.sanitized_allowed_attributes.replace %w(href)
Note that if you put this in your initialization block you must use the config.after_initialize hack (to override the default that will be set) but if you put it in an initializer (i.e. a file in the initializers directory) that code is executed after Rails initialization so no need to use any hack. Just use the code above.