-
Notifications
You must be signed in to change notification settings - Fork 1
/
README
29 lines (18 loc) · 1.13 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
WhiteList
=========
This White Listing helper will html encode all tags and strip all attributes that aren't specifically allowed.
It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any
tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out
the extensive test suite.
<%= white_list @article.body %>
You can add or remove tags/attributes if you want to customize it a bit.
Add table tags
WhiteListHelper.tags.merge %w(table td th)
Remove tags
WhiteListHelper.tags.delete 'div'
Change allowed attributes
WhiteListHelper.attributes.merge %w(id class style)
white_list accepts a block for custom tag escaping. Shown below is the default block that white_list uses if none is given.
The block is called for all bad tags, and every text node. node is an instance of HTML::Node (either HTML::Tag or HTML::Text).
bad is nil for text nodes inside good tags, or is the tag name of the bad tag.
<%= white_list(@article.body) { |node, bad| white_listed_bad_tags.include?(bad) ? nil : node.to_s.gsub(/</, '<') } %>