Thursday, May 13, 2010

Escaping HTML in Rails,sanitize method in rails

http://railspikes.com/2008/1/28/auto-escaping-html-with-rails
http://stackoverflow.com/questions/698700/escaping-html-in-rails

strip_tags(html)
Strips all HTML tags from the html, including comments. This uses the html-scanner tokenizer and so its HTML parsing ability is limited by that of html-scanner.

Examples

strip_tags("Strip these tags!")
  # => Strip these tags!

  strip_tags("Bold no more!  See more here...")
  # => Bold no more!  See more here...

  strip_tags("





Welcome to my website!
")
  # => Welcome to my website!
strip_links(html)   
Strips all link tags from text leaving just the link text. 


Examples
strip_links('Ruby on Rails')
  # => Ruby on Rails

  strip_links('Please e-mail me at me@email.com.')
  # => Please e-mail me at me@email.com.

  strip_links('Blog: Visit.')
  # => Blog: Visit
sanitize(html,  options = {})   
This sanitize helper will html encode all tags and strip all attributes that aren’t specifically allowed. It also strips href/src tags with invalid protocols, like javascript: especially. It does its  best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out  the extensive test suite. 


<%= sanitize @article.body %>
You can add or remove tags/attributes if you want to customize it a bit. See ActionView::Base for full docs on the available options. You can add tags/attributes for single uses of sanitize by passing either the :attributes or :tags options: 

Normal Use 


<%= sanitize @article.body %>
Custom Use (only the mentioned tags and attributes are allowed, nothing else) 


<%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style)
Add table tags to the default allowed tags 


Rails::Initializer.run do |config|
    config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
  end
Remove tags to the default allowed tags 


Rails::Initializer.run do |config|
    config.after_initialize do
      ActionView::Base.sanitized_allowed_tags.delete 'div'
    end
  end
Change allowed default attributes 


Rails::Initializer.run do |config|
    config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
  end
Please note that sanitizing user-provided text does not guarantee that  the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped ’<’, ’>’, ’&’ characters and confuse browsers. 










Posted by



at





No comments:
  

















Labels:
,
,
,
,























        

      









Subscribe to:
Posts (Atom)