class Rails::Html::PermitScrubber
Rails::Html::PermitScrubber¶ ↑
Rails::Html::PermitScrubber allows you to permit only your own tags and/or attributes.
Rails::Html::PermitScrubber can be subclassed to determine:
- 
When a node should be skipped via skip_node?.
- 
When a node is allowed via allowed_node?.
- 
When an attribute should be scrubbed via scrub_attribute?.
Subclasses don't need to worry if tags or attributes are set or not. If
tags or attributes are not set, Loofah's behavior will be used. If you
override allowed_node? and no tags are set, it will not be
called. Instead Loofahs behavior will be used. Likewise for
scrub_attribute? and attributes respectively.
Text and CDATA nodes are skipped by default. Unallowed elements will be stripped, i.e. element is removed but its subtree kept. Supplied tags and attributes should be Enumerables.
tags= If set, elements excluded will be stripped. If not,
elements are stripped based on Loofahs
HTML5::Scrub.allowed_element?.
attributes= If set, attributes excluded will be removed. If
not, attributes are removed based on Loofahs
HTML5::Scrub.scrub_attributes.
class CommentScrubber < Html::PermitScrubber
def allowed_node?(node) !%w(form script comment blockquote).include?(node.name) end def skip_node?(node) node.text? end def scrub_attribute?(name) name == "style" end
end
See the documentation for Nokogiri::XML::Node to understand what's possible with nodes: nokogiri.org/Nokogiri/XML/Node.html
Attributes
Public Class Methods
# File lib/rails/html/scrubbers.rb, line 49 def initialize @direction = :bottom_up @tags, @attributes = nil, nil end
Public Instance Methods
# File lib/rails/html/scrubbers.rb, line 58 def attributes=(attributes) @attributes = validate!(attributes, :attributes) end
# File lib/rails/html/scrubbers.rb, line 62 def scrub(node) return CONTINUE if skip_node?(node) unless keep_node?(node) return STOP if scrub_node(node) == STOP end scrub_attributes(node) end
Protected Instance Methods
# File lib/rails/html/scrubbers.rb, line 74 def allowed_node?(node) @tags.include?(node.name) end
# File lib/rails/html/scrubbers.rb, line 86 def keep_node?(node) if @tags allowed_node?(node) else Loofah::HTML5::Scrub.allowed_element?(node.name) end end
# File lib/rails/html/scrubbers.rb, line 82 def scrub_attribute?(name) !@attributes.include?(name) end
# File lib/rails/html/scrubbers.rb, line 99 def scrub_attributes(node) if @attributes node.attribute_nodes.each do |attr| attr.remove if scrub_attribute?(attr.name) end scrub_css_attribute(node) else Loofah::HTML5::Scrub.scrub_attributes(node) end end
# File lib/rails/html/scrubbers.rb, line 111 def scrub_css_attribute(node) if Loofah::HTML5::Scrub.respond_to?(:scrub_css_attribute) Loofah::HTML5::Scrub.scrub_css_attribute(node) else style = node.attributes['style'] style.value = Loofah::HTML5::Scrub.scrub_css(style.value) if style end end
# File lib/rails/html/scrubbers.rb, line 94 def scrub_node(node) node.before(node.children) # strip node.remove end
# File lib/rails/html/scrubbers.rb, line 78 def skip_node?(node) node.text? || node.cdata? end
# File lib/rails/html/scrubbers.rb, line 120 def validate!(var, name) if var && !var.is_a?(Enumerable) raise ArgumentError, "You should pass :#{name} as an Enumerable" end var end