{"id":1450,"date":"2010-09-21T17:14:59","date_gmt":"2010-09-21T20:14:59","guid":{"rendered":"http:\/\/blog.plataformatec.com.br\/?p=1450"},"modified":"2017-08-18T11:56:24","modified_gmt":"2017-08-18T14:56:24","slug":"sanitize-to-the-rescue","status":"publish","type":"post","link":"https:\/\/blog.plataformatec.com.br\/2010\/09\/sanitize-to-the-rescue\/","title":{"rendered":"Sanitize to the rescue!"},"content":{"rendered":"

Most of the applications we create these days usually have an admin interface where an user with necessary privileges is able to manage the application content, respecting some business rules. Thus it is required that part of this content is easily manageable, which means the user needs to be able to add some formatting to the content. For us, it usually means that the user has to input HTML tags. And it also means that the user can do things that might break our application.<\/p>\n

Luckily, Rails can help us since it has some helpers to sanitize and strip unwanted tags or attributes from the markup.<\/p>\n

Strip links<\/h3>\n

If you just want to remove all links from the text you want to show, you can use the following method:<\/p>\n

<%= strip_links 'Send e-mail to <a href=\"mailto:me@example.com\">Me<\/a>.' %>\n\nSend e-mail to Me.\n<\/code><\/pre>\n

Strip tags<\/h3>\n

This might be a bit famous: it removes all html tags from the given markup, using html-tokenizer:<\/p>\n

<%= strip_tags '<p class=\"foo\">Send e-mail to <a href=\"mailto:me@example.com\">Me<\/a>.<\/p>' %>\n\nSend e-mail to Me.\n<\/code><\/pre>\n

Sanitize<\/h3>\n

The sanitize helper encodes all html tags and strips all attributes that are not allowed, specially script tags.<\/p>\n

<%= sanitize '<p id=\"bar\" class=\"foo\">foo bar <script>alert(\"I am a hacker!\")<\/script> baz<\/p>' %>\n\n<p class=\"foo\">foo bar  baz<\/p>\n<\/code><\/pre>\n

For instance here the script tag was removed, and also de id attribute from the paragraph tag.<\/p>\n

Simple format<\/h3>\n

Together with sanitize we have the simple_format helper. Besides sanitizing the given content, it automatically converts one new line into a br tag, and two or more new lines into a p tag. Lets see how it works:<\/p>\n

<%= simple_format \"I am a text \\n and I want to be formatted \\n\\n by <strong>simple_format<\/strong>\", :class => 'foo' %>\n\n<p class=\"foo\">I am a text \n<br \/> and I want to be formatted <\/p> \n<p class=\"foo\"> by <strong>simple_format<\/strong><\/p>\n<\/code><\/pre>\n

So I want to change this stuff, and now, what happens?<\/h3>\n

Rails gives you the ability to configure most of what is allowed and what is not when sanitizing content. Lets see the available options:<\/p>\n