An easy bridge to integrate Ryan Grove's HTML Whitelist Sanitizer in your Rails application.
Installation
Gemfile
:
gem 'sanitize-rails', require: 'sanitize/rails'
Configuration
Pass the configuration to Sanitize
calling Sanitize::Rails.configure
in
an initializer, say config/initializers/sanitizer.rb
:
Sanitize::Rails.configure(
elements: [ ... ],
attributes: { ... },
...
)
You may pass escape_entities: false
if you don't want to escape
html entities. Example: Hello & World
will not be changed to
Hello & World
Check out the example in the example/
directory.
Usage
ActionView sanitize
helper is transparently overriden to use the Sanitize
gem.
A sanitize
helper is added to ActiveRecord
, that installs on create/save
callbacks that sanitize the given attributes before persisting them to the
database. Example:
app/models/foo.rb
:
class Foo < ActiveRecord::Base
sanitizes :description # on save by default
sanitizes :body, on: :create
sanitizes :remarks, on: :save
end
Testing
RSpec
spec/spec_helper.rb
:
require 'sanitize/rails/matchers'
in spec code:
describe Post do
# Simplest variant, single field and default values
it { should sanitize_field :title }
# Multiple fields
it { should sanitize_fields :title, :body }
# Specifing both text to sanitize and expected result
it { should sanitize_field(:title).replacing('©').with('©') }
end
You should pass field names to matcher in the same way as you do with the
sanitize
call in the model, otherwise sanitize method won't be found in
model.
Test::Unit
test/test_helper.rb:
require 'sanitize/rails/test_helpers'
Sanitize::Rails::TestHelpers.setup(self,
invalid: 'some <a>string',
valid: 'some <a>string</a>'
)
your test:
assert_sanitizes Model, :field, :some_other_field
Compatibility
Tested with Rails 3.0 and 🆙 under Ruby 1.9.3 and 🆙.
License
MIT