class Rails::HTML4::SafeListSanitizer
Rails::HTML4::SafeListSanitizer
¶ ↑
Sanitizes HTML4
and CSS from an extensive safe list.
Whitespace¶ ↑
We can’t make any guarantees about whitespace being kept or stripped. Loofah uses Nokogiri, which wraps either a C or Java parser for the respective Ruby implementation. Those two parsers determine how whitespace is ultimately handled.
When the stripped markup will be rendered the users browser won’t take whitespace into account anyway. It might be better to suggest your users wrap their whitespace sensitive content in pre tags or that you do so automatically.
Options¶ ↑
Sanitizes both html and css via the safe lists found in Rails::HTML::Concern::Scrubber::SafeList
SafeListSanitizer
also accepts options to configure the safe list used when sanitizing html. There’s a class level option:
Rails::HTML4::SafeListSanitizer.allowed_tags = %w(table tr td) Rails::HTML4::SafeListSanitizer.allowed_attributes = %w(id class style)
Tags and attributes can also be passed to sanitize
. Passed options take precedence over the class level options.
Examples¶ ↑
safe_list_sanitizer = Rails::HTML4::SafeListSanitizer.new # default: sanitize via a extensive safe list of allowed elements safe_list_sanitizer.sanitize(@article.body) # sanitize via the supplied tags and attributes safe_list_sanitizer.sanitize( @article.body, tags: %w(table tr td), attributes: %w(id class style), ) # sanitize via a custom Loofah scrubber safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new) # prune nodes from the tree instead of stripping tags and leaving inner content safe_list_sanitizer = Rails::HTML4::SafeListSanitizer.new(prune: true) # the sanitizer can also sanitize CSS safe_list_sanitizer.sanitize_css('background-color: #000;')