sanitize(html, options = {}) public

This sanitize helper will html encode all tags and strip all attributes that aren’t specifically allowed.

It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out the extensive test suite.

<%= sanitize @article.body %>

You can add or remove tags/attributes if you want to customize it a bit. See ActionView::Base for full docs on the available options. You can add tags/attributes for single uses of sanitize by passing either the :attributes or :tags options:

Normal Use

<%= sanitize @article.body %>

Custom Use (only the mentioned tags and attributes are allowed, nothing else)

<%= sanitize @article.body, tags: %w(table tr td), attributes: %w(id class style) %>

Add table tags to the default allowed tags

class Application < Rails::Application
  config.action_view.sanitized_allowed_tags = ['table', 'tr', 'td']

Remove tags to the default allowed tags

class Application < Rails::Application
  config.after_initialize do
    ActionView::Base.sanitized_allowed_tags.delete 'div'

Change allowed default attributes

class Application < Rails::Application
  config.action_view.sanitized_allowed_attributes = ['id', 'class', 'style']

Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped ‘<’, ‘>’, ‘&’ characters and confuse browsers.

Show source
Register or log in to add new notes.
January 6, 2009
5 thanks

Default allowed tags and attributes

I found it a bit hard to find the default tags and attributes in the docs.

As of Rails 2.2.2 they are:


del, dd, h3, address, big, sub, tt, a, ul, h4, cite, dfn, h5, small, kbd, code,
b, ins, img, h6, sup, pre, strong, blockquote, acronym, dt, br, p, div, samp,
li, ol, var, em, h1, i, abbr, h2, span, hr


name, href, cite, class, title, src, xml:lang, height, datetime, alt, abbr, width

Getting the latest list

You can query for this list yourself with the following code on the console:

>> puts helper.sanitized_allowed_tags.to_a * ", "
... will output tag list ...
>> puts helper.sanitized_allowed_attributes.to_a * ", "
... will output attribute list ...

The same principal can probably be applied to sanitize_css.

April 21, 2009
3 thanks

sanitize method not functioning in controllers, models, or libs

It comes up with an error about white_list_sanitizer undefined in the class you’re using it in. To get around this, use:


To shorten this, add something like this in an initializer:

class String
  def sanitize

then call it with:

July 18, 2009
2 thanks

Sanitize in controllers, models, or libs -- *with* options

A Follow-up to k776’s note. If you want to specify tags or attributes, you should change your initializer to:

class String
  def sanitize(options={})
    ActionController::Base.helpers.sanitize(self, options)

Then you can call it from any string like so:

'string'.sanitize(:tags => %w(table td tr), :attributes => %w(style id))
January 6, 2009
1 thank

Replace allowed tags/attributes

The docs above state how to add and remove tags from the default list. But what if you just want to replace the entire list with a list of your own? You can easily do that with the following code:

ActionView::Base.sanitized_allowed_tags.replace %w(strong em b i hr br ul ol li blockquote)
ActionView::Base.sanitized_allowed_attributes.replace %w(href)

Note that if you put this in your initialization block you must use the config.after_initialize hack (to override the default that will be set) but if you put it in an initializer (i.e. a file in the initializers directory) that code is executed after Rails initialization so no need to use any hack. Just use the code above.