module Sanitize::Rails::Engine

Public Instance Methods

clean(string) click to toggle source

Returns a copy of the given `string` after sanitizing it and marking it as `html_safe`

Ensuring this methods return instances of ActiveSupport::SafeBuffer means that text passed through `Sanitize::Rails::Engine.clean` will not be escaped by ActionView's XSS filtering utilities.

# File lib/sanitize/rails/engine.rb, line 57
def clean(string)
  ::ActiveSupport::SafeBuffer.new cleaned_fragment(string)
end
clean!(string) click to toggle source

Sanitizes the given `string` in place and does NOT mark it as `html_safe`

# File lib/sanitize/rails/engine.rb, line 63
def clean!(string)
  return '' if string.nil?
  string.replace cleaned_fragment(string)
end
cleaner() click to toggle source

Returns a memoized instance of the Engine with the configuration passed to the configure method or with the ActionView's default config

# File lib/sanitize/rails/engine.rb, line 47
def cleaner
  @_cleaner ||= ::Sanitize.new(config)
end
config() click to toggle source
# File lib/sanitize/rails/engine.rb, line 27
def config
  @_config ||= {
    :elements => ::ActionView::Base.sanitized_allowed_tags.to_a,
    :attributes => { :all => ::ActionView::Base.sanitized_allowed_attributes.to_a },
    :protocols  => { :all => ::ActionView::Base.sanitized_allowed_protocols.to_a },
    :entities_whitelist => {}
  }
end
configure(config) click to toggle source

Changes the Sanitizer configuration.

# File lib/sanitize/rails/engine.rb, line 8
def configure(config)
  @_config = config.freeze
  @_cleaner = nil
end

Private Instance Methods

cleaned_fragment(string) click to toggle source
# File lib/sanitize/rails/engine.rb, line 92
def cleaned_fragment(string)
  sanitized_string = cleaner.fragment(string)

  if @_config[:entities_whitelist].present?
    sanitized_string = decode_whitelisted_entities(sanitized_string)
  end

  return sanitized_string
end
decode_whitelisted_entities(string) click to toggle source
# File lib/sanitize/rails/engine.rb, line 84
def decode_whitelisted_entities(string)
  @_config[:entities_whitelist].each do |entity, decoded_value|
    string.gsub!(entity.to_s, decoded_value.to_s)
  end

  string
end