This sanitize helper will html encode all tags and strip all
attributes that aren't specifically allowed.
It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out the extensive test suite.
1 | <%= sanitize @article.body %> |
You can add or remove tags/attributes if you want to customize it a bit.
See ActionView::Base for full docs on the
available options. You can add tags/attributes for single uses of
sanitize by passing either the :attributes or
:tags options:
Normal Use
1 | <%= sanitize @article.body %> |
Custom Use (only the mentioned tags and attributes are allowed, nothing else)
1 | <%= sanitize @article.body, tags: %w(table tr td), attributes: %w(id class style) %> |
Add table tags to the default allowed tags
1 2 3 | class Application < Rails::Application config.action_view.sanitized_allowed_tags = ['table', 'tr', 'td']end |
Remove tags to the default allowed tags
1 2 3 4 5 | class Application < Rails::Application config.after_initialize do ActionView::Base.sanitized_allowed_tags.delete 'div' endend |
Change allowed default attributes
1 2 3 | class Application < Rails::Application config.action_view.sanitized_allowed_attributes = ['id', 'class', 'style']end |
Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped '<', '>', '&' characters and confuse browsers.
Please login to continue.