White List Objectified plugin

Plugin details

Objectified version of Technoweenie's white_list plugin for Rails. Implemented as a class, not as a helper.

Websitehttp://github.com/railsmonk/white_list_objectified/tree/master Repositorygit://github.com/railsmonk/white_list_objectified.git Author Dima Sabanin Tags whitelist LicenseMIT

Documentation

Install the plugin: 
ruby script/plugin install git://github.com/railsmonk/white_list_objectified.git

This White Listing helper will html encode all tags and strip all attributes that aren't specifically allowed.

It also strips href/src tags with invalid protocols, like javascript: especially. It does its best to counter any tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters. Check out the extensive test suite. 

  <%= white_list @article.body %>


You can add or remove tags/attributes if you want to customize it a bit.

Add table tags 

  WhiteListHelper.tags.merge %w(table td th)


Remove tags 

  WhiteListHelper.tags.delete 'div'


Change allowed attributes 

  WhiteListHelper.attributes.merge %w(id class style)


white_list accepts a block for custom tag escaping. Shown below is the default block that white_list uses if none is given.

The block is called for all bad tags, and every text node. node is an instance of HTML::Node (either HTML::Tag or HTML::Text). bad is nil for text nodes inside good tags, or is the tag name of the bad tag. 

  <%= white_list(@article.body) { |node, bad| white_listed_bad_tags.include?(bad) ? nil : node.to_s.gsub(/</, '&lt;') } 
  %>

Further Documentation

There is currently no advanced documentation for this plugin.

New documentation

Edit plugin | Back in time (2 older versions) | Last edited by: hardway, about 1 month ago