<?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Module: ActionView::Helpers::SanitizeHelper</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<meta http-equiv="Content-Script-Type" content="text/javascript" />
<link rel="stylesheet" href="../../.././rdoc-style.css" type="text/css" media="screen" />
<script type="text/javascript">
// <![CDATA[
function popupCode( url ) {
window.open(url, "Code", "resizable=yes,scrollbars=yes,toolbar=no,status=no,height=150,width=400")
}
function toggleCode( id ) {
if ( document.getElementById )
elem = document.getElementById( id );
else if ( document.all )
elem = eval( "document.all." + id );
else
return false;
elemStyle = elem.style;
if ( elemStyle.display != "block" ) {
elemStyle.display = "block"
} else {
elemStyle.display = "none"
}
return true;
}
// Make codeblocks hidden by default
document.writeln( "<style type=\"text/css\">div.method-source-code { display: none }</style>" )
// ]]>
</script>
</head>
<body>
<div id="classHeader">
<table class="header-table">
<tr class="top-aligned-row">
<td><strong>Module</strong></td>
<td class="class-name-in-header">ActionView::Helpers::SanitizeHelper</td>
</tr>
<tr class="top-aligned-row">
<td><strong>In:</strong></td>
<td>
<a href="../../../files/lib/action_view/helpers/sanitize_helper_rb.html">
lib/action_view/helpers/sanitize_helper.rb
</a>
<br />
</td>
</tr>
</table>
</div>
<!-- banner header -->
<div id="bodyContent">
<div id="contextContent">
<div id="description">
<p>
The <a href="SanitizeHelper.html">SanitizeHelper</a> module provides a set
of methods for scrubbing text of undesired HTML elements. These helper
methods extend ActionView making them callable within your template files.
</p>
</div>
</div>
<div id="method-list">
<h3 class="section-bar">Methods</h3>
<div class="name-list">
<a href="#M000438">sanitize</a>
<a href="#M000439">sanitize_css</a>
<a href="#M000441">strip_links</a>
<a href="#M000440">strip_tags</a>
</div>
</div>
</div>
<!-- if includes -->
<div id="section">
<!-- if method_list -->
<div id="methods">
<h3 class="section-bar">Public Instance methods</h3>
<div id="method-M000438" class="method-detail">
<a name="M000438"></a>
<div class="method-heading">
<a href="SanitizeHelper.src/M000438.html" target="Code" class="method-signature"
onclick="popupCode('SanitizeHelper.src/M000438.html');return false;">
<span class="method-name">sanitize</span><span class="method-args">(html, options = {})</span>
</a>
</div>
<div class="method-description">
<p>
This <tt><a href="SanitizeHelper.html#M000438">sanitize</a></tt> helper
will html encode all tags and strip all attributes that aren‘t
specifically allowed. It also strips href/src tags with invalid protocols,
like javascript: especially. It does its best to counter any tricks that
hackers may use, like throwing in unicode/ascii/hex values to get past the
javascript: filters. Check out the extensive test suite.
</p>
<pre>
<%= sanitize @article.body %>
</pre>
<p>
You can add or remove tags/attributes if you want to customize it a bit.
See <a href="../Base.html">ActionView::Base</a> for full docs on the
available options. You can add tags/attributes for single uses of <tt><a
href="SanitizeHelper.html#M000438">sanitize</a></tt> by passing either the
<tt>:attributes</tt> or <tt>:tags</tt> options:
</p>
<p>
Normal Use
</p>
<pre>
<%= sanitize @article.body %>
</pre>
<p>
Custom Use (only the mentioned tags and attributes are allowed, nothing
else)
</p>
<pre>
<%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style)
</pre>
<p>
Add table tags to the default allowed tags
</p>
<pre>
Rails::Initializer.run do |config|
config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
end
</pre>
<p>
Remove tags to the default allowed tags
</p>
<pre>
Rails::Initializer.run do |config|
config.after_initialize do
ActionView::Base.sanitized_allowed_tags.delete 'div'
end
end
</pre>
<p>
Change allowed default attributes
</p>
<pre>
Rails::Initializer.run do |config|
config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
end
</pre>
<p>
Please note that sanitizing user-provided text does not guarantee that the
resulting markup is valid (conforming to a document type) or even
well-formed. The output may still contain e.g. unescaped
’<’, ’>’, ’&’ characters and
confuse browsers.
</p>
</div>
</div>
<div id="method-M000439" class="method-detail">
<a name="M000439"></a>
<div class="method-heading">
<a href="SanitizeHelper.src/M000439.html" target="Code" class="method-signature"
onclick="popupCode('SanitizeHelper.src/M000439.html');return false;">
<span class="method-name">sanitize_css</span><span class="method-args">(style)</span>
</a>
</div>
<div class="method-description">
<p>
Sanitizes a block of CSS code. Used by <tt><a
href="SanitizeHelper.html#M000438">sanitize</a></tt> when it comes across a
style attribute.
</p>
</div>
</div>
<div id="method-M000441" class="method-detail">
<a name="M000441"></a>
<div class="method-heading">
<a href="SanitizeHelper.src/M000441.html" target="Code" class="method-signature"
onclick="popupCode('SanitizeHelper.src/M000441.html');return false;">
<span class="method-name">strip_links</span><span class="method-args">(html)</span>
</a>
</div>
<div class="method-description">
<p>
Strips all link tags from <tt>text</tt> leaving just the link text.
</p>
<h4>Examples</h4>
<pre>
strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
# => Ruby on Rails
strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.')
# => Please e-mail me at me@email.com.
strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
# => Blog: Visit
</pre>
</div>
</div>
<div id="method-M000440" class="method-detail">
<a name="M000440"></a>
<div class="method-heading">
<a href="SanitizeHelper.src/M000440.html" target="Code" class="method-signature"
onclick="popupCode('SanitizeHelper.src/M000440.html');return false;">
<span class="method-name">strip_tags</span><span class="method-args">(html)</span>
</a>
</div>
<div class="method-description">
<p>
Strips all HTML tags from the <tt>html</tt>, including comments. This uses
the html-scanner tokenizer and so its HTML parsing ability is limited by
that of html-scanner.
</p>
<h4>Examples</h4>
<pre>
strip_tags("Strip <i>these</i> tags!")
# => Strip these tags!
strip_tags("<b>Bold</b> no more! <a href='more.html'>See more here</a>...")
# => Bold no more! See more here...
strip_tags("<div id='top-bar'>Welcome to my website!</div>")
# => Welcome to my website!
</pre>
</div>
</div>
</div>
</div>
<div id="validator-badges">
<p><small><a href="http://validator.w3.org/check/referer">[Validate]</a></small></p>
</div>
</body>
</html>
distrib
>
Mandriva
>
2010.0
>
i586
>
media
>
contrib-release
>
by-pkgid
>
8b99df826c3b6cf56a1caaae5f931d50
>
files
>
881
