require "active_support/core_ext/object/try" require "rails-html-sanitizer" module ActionView # = Action View Sanitize Helpers module Helpers # The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements. # These helper methods extend Action View making them callable within your template files. module SanitizeHelper extend ActiveSupport::Concern # Sanitizes HTML input, stripping all tags and attributes that aren't whitelisted. # # It also strips href/src attributes with unsafe protocols like # javascript:, while also protecting against attempts to use Unicode, # ASCII, and hex character references to work around these protocol filters. # # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information. # # Custom sanitization rules can also be provided. # # Please note that sanitizing user-provided text does not guarantee that the # resulting markup is valid or even well-formed. For example, the output may still # contain unescaped characters like <, >, or &. # # ==== Options # # * :tags - An array of allowed tags. # * :attributes - An array of allowed attributes. # * :scrubber - A {Rails::Html scrubber}[https://github.com/rails/rails-html-sanitizer] # or {Loofah::Scrubber}[https://github.com/flavorjones/loofah] object that # defines custom sanitization rules. A custom scrubber takes precedence over # custom tags and attributes. # # ==== Examples # # Normal use: # # <%= sanitize @comment.body %> # # Providing custom whitelisted tags and attributes: # # <%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %> # # Providing a custom Rails::Html scrubber: # # class CommentScrubber < Rails::Html::PermitScrubber # def allowed_node?(node) # !%w(form script comment blockquote).include?(node.name) # end # # def skip_node?(node) # node.text? # end # # def scrub_attribute?(name) # name == 'style' # end # end # # <%= sanitize @comment.body, scrubber: CommentScrubber.new %> # # See {Rails HTML Sanitizer}[https://github.com/rails/rails-html-sanitizer] for # documentation about Rails::Html scrubbers. # # Providing a custom Loofah::Scrubber: # # scrubber = Loofah::Scrubber.new do |node| # node.remove if node.name == 'script' # end # # <%= sanitize @comment.body, scrubber: scrubber %> # # See {Loofah's documentation}[https://github.com/flavorjones/loofah] for more # information about defining custom Loofah::Scrubber objects. # # To set the default allowed tags or attributes across your application: # # # In config/application.rb # config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a'] # config.action_view.sanitized_allowed_attributes = ['href', 'title'] def sanitize(html, options = {}) self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe) end # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute. def sanitize_css(style) self.class.white_list_sanitizer.sanitize_css(style) end # Strips all HTML tags from +html+, including comments. # # strip_tags("Strip these tags!") # # => Strip these tags! # # strip_tags("Bold no more! See more here...") # # => Bold no more! See more here... # # strip_tags("