<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head> <title>Module: ActionView::Helpers::SanitizeHelper</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <meta http-equiv="Content-Script-Type" content="text/javascript" /> <link rel="stylesheet" href="../../.././rdoc-style.css" type="text/css" media="screen" /> <script type="text/javascript"> // <![CDATA[ function popupCode( url ) { window.open(url, "Code", "resizable=yes,scrollbars=yes,toolbar=no,status=no,height=150,width=400") } function toggleCode( id ) { if ( document.getElementById ) elem = document.getElementById( id ); else if ( document.all ) elem = eval( "document.all." + id ); else return false; elemStyle = elem.style; if ( elemStyle.display != "block" ) { elemStyle.display = "block" } else { elemStyle.display = "none" } return true; } // Make codeblocks hidden by default document.writeln( "<style type=\"text/css\">div.method-source-code { display: none }</style>" ) // ]]> </script> </head> <body> <div id="classHeader"> <table class="header-table"> <tr class="top-aligned-row"> <td><strong>Module</strong></td> <td class="class-name-in-header">ActionView::Helpers::SanitizeHelper</td> </tr> <tr class="top-aligned-row"> <td><strong>In:</strong></td> <td> <a href="../../../files/lib/action_view/helpers/sanitize_helper_rb.html"> lib/action_view/helpers/sanitize_helper.rb </a> <br /> </td> </tr> </table> </div> <!-- banner header --> <div id="bodyContent"> <div id="contextContent"> <div id="description"> <p> The <a href="SanitizeHelper.html">SanitizeHelper</a> module provides a set of methods for scrubbing text of undesired HTML elements. These helper methods extend ActionView making them callable within your template files. </p> </div> </div> <div id="method-list"> <h3 class="section-bar">Methods</h3> <div class="name-list"> <a href="#M000438">sanitize</a> <a href="#M000439">sanitize_css</a> <a href="#M000441">strip_links</a> <a href="#M000440">strip_tags</a> </div> </div> </div> <!-- if includes --> <div id="section"> <!-- if method_list --> <div id="methods"> <h3 class="section-bar">Public Instance methods</h3> <div id="method-M000438" class="method-detail"> <a name="M000438"></a> <div class="method-heading"> <a href="SanitizeHelper.src/M000438.html" target="Code" class="method-signature" onclick="popupCode('SanitizeHelper.src/M000438.html');return false;"> <span class="method-name">sanitize</span><span class="method-args">(html, options = {})</span> </a> </div> <div class="method-description"> <p> This <tt><a href="SanitizeHelper.html#M000438">sanitize</a></tt> helper will html encode all tags and strip all attributes that aren‘t specifically allowed. It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out the extensive test suite. </p> <pre> <%= sanitize @article.body %> </pre> <p> You can add or remove tags/attributes if you want to customize it a bit. See <a href="../Base.html">ActionView::Base</a> for full docs on the available options. You can add tags/attributes for single uses of <tt><a href="SanitizeHelper.html#M000438">sanitize</a></tt> by passing either the <tt>:attributes</tt> or <tt>:tags</tt> options: </p> <p> Normal Use </p> <pre> <%= sanitize @article.body %> </pre> <p> Custom Use (only the mentioned tags and attributes are allowed, nothing else) </p> <pre> <%= sanitize @article.body, :tags => %w(table tr td), :attributes => %w(id class style) </pre> <p> Add table tags to the default allowed tags </p> <pre> Rails::Initializer.run do |config| config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td' end </pre> <p> Remove tags to the default allowed tags </p> <pre> Rails::Initializer.run do |config| config.after_initialize do ActionView::Base.sanitized_allowed_tags.delete 'div' end end </pre> <p> Change allowed default attributes </p> <pre> Rails::Initializer.run do |config| config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style' end </pre> <p> Please note that sanitizing user-provided text does not guarantee that the resulting markup is valid (conforming to a document type) or even well-formed. The output may still contain e.g. unescaped ’<’, ’>’, ’&’ characters and confuse browsers. </p> </div> </div> <div id="method-M000439" class="method-detail"> <a name="M000439"></a> <div class="method-heading"> <a href="SanitizeHelper.src/M000439.html" target="Code" class="method-signature" onclick="popupCode('SanitizeHelper.src/M000439.html');return false;"> <span class="method-name">sanitize_css</span><span class="method-args">(style)</span> </a> </div> <div class="method-description"> <p> Sanitizes a block of CSS code. Used by <tt><a href="SanitizeHelper.html#M000438">sanitize</a></tt> when it comes across a style attribute. </p> </div> </div> <div id="method-M000441" class="method-detail"> <a name="M000441"></a> <div class="method-heading"> <a href="SanitizeHelper.src/M000441.html" target="Code" class="method-signature" onclick="popupCode('SanitizeHelper.src/M000441.html');return false;"> <span class="method-name">strip_links</span><span class="method-args">(html)</span> </a> </div> <div class="method-description"> <p> Strips all link tags from <tt>text</tt> leaving just the link text. </p> <h4>Examples</h4> <pre> strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>') # => Ruby on Rails strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.') # => Please e-mail me at me@email.com. strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.') # => Blog: Visit </pre> </div> </div> <div id="method-M000440" class="method-detail"> <a name="M000440"></a> <div class="method-heading"> <a href="SanitizeHelper.src/M000440.html" target="Code" class="method-signature" onclick="popupCode('SanitizeHelper.src/M000440.html');return false;"> <span class="method-name">strip_tags</span><span class="method-args">(html)</span> </a> </div> <div class="method-description"> <p> Strips all HTML tags from the <tt>html</tt>, including comments. This uses the html-scanner tokenizer and so its HTML parsing ability is limited by that of html-scanner. </p> <h4>Examples</h4> <pre> strip_tags("Strip <i>these</i> tags!") # => Strip these tags! strip_tags("<b>Bold</b> no more! <a href='more.html'>See more here</a>...") # => Bold no more! See more here... strip_tags("<div id='top-bar'>Welcome to my website!</div>") # => Welcome to my website! </pre> </div> </div> </div> </div> <div id="validator-badges"> <p><small><a href="http://validator.w3.org/check/referer">[Validate]</a></small></p> </div> </body> </html>