module Rails::HTML::Concern::Scrubber::SafeList

Constants

DEFAULT_ALLOWED_ATTRIBUTES

The default safe list for attributes

DEFAULT_ALLOWED_TAGS

The default safe list for tags

Public Class Methods

included(klass) click to toggle source
# File lib/rails/html/sanitizer.rb, line 141
def self.included(klass)
  class << klass
    attr_accessor :allowed_tags
    attr_accessor :allowed_attributes
  end

  klass.allowed_tags = DEFAULT_ALLOWED_TAGS.dup
  klass.allowed_attributes = DEFAULT_ALLOWED_ATTRIBUTES.dup
end
new(prune: false) click to toggle source
# File lib/rails/html/sanitizer.rb, line 151
def initialize(prune: false)
  @permit_scrubber = PermitScrubber.new(prune: prune)
end

Public Instance Methods

sanitize_css(style_string) click to toggle source
# File lib/rails/html/sanitizer.rb, line 168
def sanitize_css(style_string)
  Loofah::HTML5::Scrub.scrub_css(style_string)
end
scrub(fragment, options = {}) click to toggle source
# File lib/rails/html/sanitizer.rb, line 155
def scrub(fragment, options = {})
  if scrubber = options[:scrubber]
    # No duck typing, Loofah ensures subclass of Loofah::Scrubber
    fragment.scrub!(scrubber)
  elsif allowed_tags(options) || allowed_attributes(options)
    @permit_scrubber.tags = allowed_tags(options)
    @permit_scrubber.attributes = allowed_attributes(options)
    fragment.scrub!(@permit_scrubber)
  else
    fragment.scrub!(:strip)
  end
end

Private Instance Methods

allowed_attributes(options) click to toggle source
# File lib/rails/html/sanitizer.rb, line 177
def allowed_attributes(options)
  options[:attributes] || self.class.allowed_attributes
end
allowed_tags(options) click to toggle source
# File lib/rails/html/sanitizer.rb, line 173
def allowed_tags(options)
  options[:tags] || self.class.allowed_tags
end