module Shamu::Attributes::HtmlSanitation

Adds an HTML sanitation option to attributes. When present, string values will be sanitized when the attribute is read.

The raw unfiltered value is always available as `#{ attribute }_raw`.

Constants

BODY_TAGS

Tags safe for body text.

SIMPLE_TAGS

Tags safe for simple text.

STANDARD_FILTER_METHODS

The standard HTML sanitation filter methods.

UNSAFE_TAGS

Tags that are not safe.

Public Instance Methods

attribute( name, *args, **options, &block ) click to toggle source

(see Attributes.attribute) @param [Symbol,#call] html sanitation options. Acceptable values are

- `:none` strip all HTML. The default.
- `:simple` simple formatting suitable for most places. See
  {#simple_html_sanitize} for details.
- `:body` basic formatting for 'body' text. See
  {#body_html_sanitize} for details.
- `:allow` permit any HTML tag.
- Any other symbol is assumed to be a method on the entity that will
  be called to filter the html.
- `#call` anything that responds to `#call` that takes a single
  argument of the raw string and returns the sanitized HTML.
Calls superclass method
# File lib/shamu/attributes/html_sanitation.rb, line 47
def attribute( name, *args, **options, &block )
  super.tap do
    define_html_sanitized_attribute_reader( name, options[ :html ] ) if options.key?( :html )
  end
end
define_attribute_reader( name, as: nil, ** ) click to toggle source
Calls superclass method
# File lib/shamu/attributes/html_sanitation.rb, line 55
          def define_attribute_reader( name, as: nil, ** )
            super

            class_eval <<-RUBY, __FILE__, __LINE__ + 1
              def #{ name }_raw                                       # def attribute_raw
                return @#{ name } if defined? @#{ name }              #   return @attribute if defined? @attribute
                @#{ name } = fetch_#{ name }                          #   @attribute = fetch_attribute
              end                                                     # end
            RUBY
          end
define_html_sanitized_attribute_reader( name, method ) click to toggle source
# File lib/shamu/attributes/html_sanitation.rb, line 66
          def define_html_sanitized_attribute_reader( name, method )
            method ||= :none

            filter_method = resolve_html_filter_method( name, method )
            class_eval <<-RUBY, __FILE__, __LINE__ + 1
              def #{ name }                                                               # def attribute
                return @#{ name }_html_sanitized if defined? @#{ name }_html_sanitized    #   return @attribute_html_sanitized if defined? @attribute_html_sanitized
                @#{ name }_html_sanitized = #{ filter_method }( #{ name }_raw )           #   @attribute_html_sanitized = simple_html_sanitized( attribute_raw )
              end                                                                         # end
            RUBY
          end
resolve_html_filter_method( name, method ) click to toggle source
# File lib/shamu/attributes/html_sanitation.rb, line 78
def resolve_html_filter_method( name, method )
  if STANDARD_FILTER_METHODS.include?( method )
    "#{ method }_html_sanitize"
  elsif method.is_a?( Symbol )
    method
  else
    filter_method = "custom_#{ name }_html_sanitize"
    define_method filter_method, &method
    filter_method
  end
end

Private Instance Methods

allow_html_sanitize( value ) click to toggle source

@!visibility public

Does not perform any sanitization of the value.

@param [String] value to sanitize. @return [String] the sanitized value.

# File lib/shamu/attributes/html_sanitation.rb, line 151
def allow_html_sanitize( value )
  return value unless value.is_a?( String )

  Loofah.fragment( value ).scrub!( :no_follow ).to_s
end
body_html_sanitize( value ) click to toggle source

@!visibility public

Remove all but a limited subset of common tags useful for body copy text. See {BODY_TAGS}.

@param [String] value to sanitize. @return [String] the sanitized value.

# File lib/shamu/attributes/html_sanitation.rb, line 124
def body_html_sanitize( value )
  return value unless value.is_a?( String )

  Loofah.fragment( value ).scrub!( BodyScrubber.new ).to_s
end
none_html_sanitize( value ) click to toggle source

@!visibility public

Remove all HTML from the value.

@param [String] value to sanitize. @return [String] the sanitized value.

# File lib/shamu/attributes/html_sanitation.rb, line 99
def none_html_sanitize( value )
  return value unless value.is_a?( String )

  Loofah.fragment( value ).scrub!( NoneScrubber.new ).to_s
end
safe_html_sanitize( value ) click to toggle source

@!visibility public

Remove all HTML from the value.

@param [String] value to sanitize. @return [String] the sanitized value.

# File lib/shamu/attributes/html_sanitation.rb, line 136
def safe_html_sanitize( value )
  return value unless value.is_a?( String )

  Loofah.fragment( value )
        .scrub!( SafeScrubber.new )
        .scrub!( :no_follow )
        .to_s
end
simple_html_sanitize( value ) click to toggle source

@!visibility public

Remove all but the simplest html tags <B>, <I>, <STRONG>, <EM>.

@param [String] value to sanitize. @return [String] the sanitized value.

# File lib/shamu/attributes/html_sanitation.rb, line 111
def simple_html_sanitize( value )
  return value unless value.is_a?( String )

  Loofah.fragment( value ).scrub!( SimpleScrubber.new ).to_s
end