sanitize(html, options = {}) public

Sanitizes HTML input, stripping all but known-safe tags and attributes.

It also strips href / src attributes with unsafe protocols like javascript:, while also protecting against attempts to use Unicode, ASCII, and hex character references to work around these protocol filters.

The default sanitizer is +Rails::HTML5::SafeListSanitizer+. See Rails HTML Sanitizers for more information.

Custom sanitization rules can also be provided.

Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid or even well-formed.

Options

:tags

An array of allowed tags.

:attributes

An array of allowed attributes.

:scrubber

A Rails::HTML scrubber or Loofah::Scrubber object that defines custom sanitization rules. A custom scrubber takes precedence over custom tags and attributes.

Examples

Normal use
<%= sanitize @comment.body %>
Providing custom lists of permitted tags and attributes
<%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %>
Providing a custom +Rails::HTML+ scrubber
class CommentScrubber < Rails::HTML::PermitScrubber
  def initialize
    super
    self.tags = %w( form script comment blockquote )
    self.attributes = %w( style )
  end

  def skip_node?(node)
    node.text?
  end
end

<%= sanitize @comment.body, scrubber: CommentScrubber.new %>

See Rails HTML Sanitizer for documentation about +Rails::HTML+ scrubbers.

Providing a custom +Loofah::Scrubber+
scrubber = Loofah::Scrubber.new do |node|
  node.remove if node.name == 'script'
end

<%= sanitize @comment.body, scrubber: scrubber %>

See Loofah’s documentation for more information about defining custom +Loofah::Scrubber+ objects.

Global Configuration

To set the default allowed tags or attributes across your application:

# In config/application.rb
config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
config.action_view.sanitized_allowed_attributes = ['href', 'title']

The default, starting in Rails 7.1, is to use an HTML5 parser for sanitization (if it is available, see NOTE below). If you wish to revert back to the previous HTML4 behavior, you can do so by setting the following in your application configuration:

# In config/application.rb
config.action_view.sanitizer_vendor = Rails::HTML4::Sanitizer

Or, if you’re upgrading from a previous version of Rails and wish to opt into the HTML5 behavior:

# In config/application.rb
config.action_view.sanitizer_vendor = Rails::HTML5::Sanitizer

NOTE: +Rails::HTML5::Sanitizer+ is not supported on JRuby, so on JRuby platforms Rails will fall back to using +Rails::HTML4::Sanitizer+.

Show source
Register or log in to add new notes.
January 6, 2009
5 thanks

Default allowed tags and attributes

I found it a bit hard to find the default tags and attributes in the docs.

As of Rails 2.2.2 they are:

Tags

del, dd, h3, address, big, sub, tt, a, ul, h4, cite, dfn, h5, small, kbd, code,
b, ins, img, h6, sup, pre, strong, blockquote, acronym, dt, br, p, div, samp,
li, ol, var, em, h1, i, abbr, h2, span, hr

Attributes

name, href, cite, class, title, src, xml:lang, height, datetime, alt, abbr, width

Getting the latest list

You can query for this list yourself with the following code on the console:

>> puts helper.sanitized_allowed_tags.to_a * ", "
... will output tag list ...
>> puts helper.sanitized_allowed_attributes.to_a * ", "
... will output attribute list ...

The same principal can probably be applied to sanitize_css.

April 21, 2009
3 thanks

sanitize method not functioning in controllers, models, or libs

It comes up with an error about white_list_sanitizer undefined in the class you’re using it in. To get around this, use:

ActionController::Base.helpers.sanitize('string')

To shorten this, add something like this in an initializer:

class String
  def sanitize
    ActionController::Base.helpers.sanitize(self)
  end
end

then call it with:

'string'.sanitize
July 18, 2009
2 thanks

Sanitize in controllers, models, or libs -- *with* options

A Follow-up to k776’s note. If you want to specify tags or attributes, you should change your initializer to:

class String
  def sanitize(options={})
    ActionController::Base.helpers.sanitize(self, options)
  end
end

Then you can call it from any string like so:

'string'.sanitize(:tags => %w(table td tr), :attributes => %w(style id))
January 6, 2009
1 thank

Replace allowed tags/attributes

The docs above state how to add and remove tags from the default list. But what if you just want to replace the entire list with a list of your own? You can easily do that with the following code:

ActionView::Base.sanitized_allowed_tags.replace %w(strong em b i hr br ul ol li blockquote)
ActionView::Base.sanitized_allowed_attributes.replace %w(href)

Note that if you put this in your initialization block you must use the config.after_initialize hack (to override the default that will be set) but if you put it in an initializer (i.e. a file in the initializers directory) that code is executed after Rails initialization so no need to use any hack. Just use the code above.