class HTML::Pipeline::SanitizationFilter
HTML
filter with sanization routines and whitelists. This module defines what HTML
is allowed in user provided content and fixes up issues with unbalanced tags and whatnot.
See the Sanitize docs for more information on the underlying library:
github.com/rgrove/sanitize/#readme
Context options:
:whitelist - The sanitizer whitelist configuration to use. This can be one of the options constants defined in this class or a custom sanitize options hash.
This filter does not write additional information to the context.
Constants
- FULL
Strip all
HTML
tags from the document.- LIMITED
A more limited sanitization whitelist. This includes all attributes, protocols, and transformers from
WHITELIST
but with a more locked down set of allowed elements.- LISTS
- LIST_ITEM
- TABLE
- TABLE_ITEMS
List of table child elements. These must be contained by a <table> element or they are not allowed through. Otherwise they can be used to break out of places we’re using tables to contain formatted user content (like pull request review comments).
- WHITELIST
The main sanitization whitelist. Only these elements and attributes are allowed through by default.
Public Instance Methods
Sanitize markup using the Sanitize library.
# File lib/html/pipeline/sanitization_filter.rb, line 94 def call Sanitize.clean_node!(doc, whitelist) end
The whitelist to use when sanitizing. This can be passed in the context hash to the filter but defaults to WHITELIST
constant value above.
# File lib/html/pipeline/sanitization_filter.rb, line 100 def whitelist context[:whitelist] || WHITELIST end