module Shamu::Attributes::HtmlSanitation
Adds an HTML sanitation option to attributes. When present, string values will be sanitized when the attribute is read.
The raw unfiltered value is always available as `#{ attribute }_raw`.
Constants
- BODY_TAGS
Tags safe for body text.
- SIMPLE_TAGS
Tags safe for simple text.
- STANDARD_FILTER_METHODS
The standard HTML sanitation filter methods.
- UNSAFE_TAGS
Tags that are not safe.
Public Instance Methods
(see Attributes.attribute
) @param [Symbol,#call] html sanitation options. Acceptable values are
- `:none` strip all HTML. The default. - `:simple` simple formatting suitable for most places. See {#simple_html_sanitize} for details. - `:body` basic formatting for 'body' text. See {#body_html_sanitize} for details. - `:allow` permit any HTML tag. - Any other symbol is assumed to be a method on the entity that will be called to filter the html. - `#call` anything that responds to `#call` that takes a single argument of the raw string and returns the sanitized HTML.
# File lib/shamu/attributes/html_sanitation.rb, line 47 def attribute( name, *args, **options, &block ) super.tap do define_html_sanitized_attribute_reader( name, options[ :html ] ) if options.key?( :html ) end end
# File lib/shamu/attributes/html_sanitation.rb, line 55 def define_attribute_reader( name, as: nil, ** ) super class_eval <<-RUBY, __FILE__, __LINE__ + 1 def #{ name }_raw # def attribute_raw return @#{ name } if defined? @#{ name } # return @attribute if defined? @attribute @#{ name } = fetch_#{ name } # @attribute = fetch_attribute end # end RUBY end
# File lib/shamu/attributes/html_sanitation.rb, line 66 def define_html_sanitized_attribute_reader( name, method ) method ||= :none filter_method = resolve_html_filter_method( name, method ) class_eval <<-RUBY, __FILE__, __LINE__ + 1 def #{ name } # def attribute return @#{ name }_html_sanitized if defined? @#{ name }_html_sanitized # return @attribute_html_sanitized if defined? @attribute_html_sanitized @#{ name }_html_sanitized = #{ filter_method }( #{ name }_raw ) # @attribute_html_sanitized = simple_html_sanitized( attribute_raw ) end # end RUBY end
# File lib/shamu/attributes/html_sanitation.rb, line 78 def resolve_html_filter_method( name, method ) if STANDARD_FILTER_METHODS.include?( method ) "#{ method }_html_sanitize" elsif method.is_a?( Symbol ) method else filter_method = "custom_#{ name }_html_sanitize" define_method filter_method, &method filter_method end end
Private Instance Methods
@!visibility public
Does not perform any sanitization of the value.
@param [String] value to sanitize. @return [String] the sanitized value.
# File lib/shamu/attributes/html_sanitation.rb, line 151 def allow_html_sanitize( value ) return value unless value.is_a?( String ) Loofah.fragment( value ).scrub!( :no_follow ).to_s end
@!visibility public
Remove all but a limited subset of common tags useful for body copy text. See {BODY_TAGS}.
@param [String] value to sanitize. @return [String] the sanitized value.
# File lib/shamu/attributes/html_sanitation.rb, line 124 def body_html_sanitize( value ) return value unless value.is_a?( String ) Loofah.fragment( value ).scrub!( BodyScrubber.new ).to_s end
@!visibility public
Remove all HTML from the value.
@param [String] value to sanitize. @return [String] the sanitized value.
# File lib/shamu/attributes/html_sanitation.rb, line 99 def none_html_sanitize( value ) return value unless value.is_a?( String ) Loofah.fragment( value ).scrub!( NoneScrubber.new ).to_s end
@!visibility public
Remove all HTML from the value.
@param [String] value to sanitize. @return [String] the sanitized value.
# File lib/shamu/attributes/html_sanitation.rb, line 136 def safe_html_sanitize( value ) return value unless value.is_a?( String ) Loofah.fragment( value ) .scrub!( SafeScrubber.new ) .scrub!( :no_follow ) .to_s end
@!visibility public
Remove all but the simplest html tags <B>, <I>, <STRONG>, <EM>.
@param [String] value to sanitize. @return [String] the sanitized value.
# File lib/shamu/attributes/html_sanitation.rb, line 111 def simple_html_sanitize( value ) return value unless value.is_a?( String ) Loofah.fragment( value ).scrub!( SimpleScrubber.new ).to_s end