Project

sanitize_attributes

0.01
No commit activity in last 3 years
No release in over 3 years
sanitize_attributesdevp/sanitize_attributesHomepageDocumentationSource CodeBug TrackerWiki
This is a simple plugin for ActiveRecord models to define sanitizable attributes. When an object is saved, those attributes will be run through whatever filter you’ve defined. You can define a default filter for all sanitizations.
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
2021
2022
2023
2024
 Popularity
Downloads
46,346
Stars
10
Forks
4
Watchers
4
 Releases
Current version
0.0.2
Total releases
1
First release
2011-11-26
Latest release
2011-11-26
 Pull Requests
Open Pull Requests
0
Closed Pull Requests
0
Merged Pull Requests
1
Pull Request Acceptance Rate
100%
 Development
Primary Language
Ruby
Average date of last 50 commits
2010-05-23
Reverse Dependencies
0

 Dependencies

Development

mocha
>= 0
rake
>= 0
sqlite3
>= 0
thoughtbot-shoulda
>= 0

Runtime

rails
>= 3.0.0
 Project Readme

SanitizeAttributes¶ ↑

This is a simple plugin for ActiveRecord models to define sanitizable attributes. When an object is saved, those attributes will be run through whatever filter you’ve defined. You can define a default filter for all sanitizations.

Sanitization only happens for non-nil attributes. (Because a nil attribute may be valid for your model, and the sanitzers should only have to worry about working with strings.)

This plugin was created to implement anti-XSS validation. My gem of choice is Sanitize: github.com/rgrove/sanitize/tree/master

For Rails 3, add this line to your Gemfile:

gem 'sanitize_attributes', :git => "git@github.com:devp/sanitize_attributes.git"

For Rails 2.3, it should work when installed as a plugin:

./script/plugin install git@github.com:devp/sanitize_attributes.git

Example¶ ↑ 

# config/initializers/sanitize_attributes.rb
SanitizeAttributes.default_sanitization_method = lambda do |text|
  text.gsub(/[^\w\s]/, "") # very simple, very limited
end

# app/models/bookmark.rb
class Bookmark
  sanitize_attributes :sitename
end

# app/models/article.rb
class Article   
  sanitize_attributes :title, :author

  sanitize_attributes :body do |body_text|
    # This needs to be safe, renderable HTML, so let's use a real sanization tool
    # I recommend: http://github.com/rgrove/sanitize/tree/master
    Sanitize.clean(body_text)
  end
end 

Article.default_sanitization_method_for_class = lambda do |text|
  text.gsub(/[^\w\s\'".,?!]/, "") # more reasonable, for titles and such
end

# in action...
b = Bookmark.create(:sitename => "boston.rb!!!", :url => "http://http://bostonrb.org/")
b.sitename # => "bostonrb"
a = Article.create(:title => "<b>Hello</b>!", :body => "Please remove the <script>script tags</script>!")
a.title # => "Hello!"
a.body  # => "Please remove the script tags!"

Future Work¶ ↑

Things to work on in the future:

  • allowing strings/symbols for sanitization methods, not just blocks

    Nacho.default_sanitization_method_for_class = :microwave # uses Nacho.microwave
Nacho.default_sanitization_method_for_class = "Sanitize.clean"

  • add validation helpers, if you want to flag problematic text rather than cleaning it.

    class Foo

    validate_sanitized :value

    end Foo.new(:value => “abc”).valid? #=> false if a sanitized copy of #value is different than the original

  • better functionality for subclasses. Currently, they will share sanitized attributes and sanitization methods across subclasses and the base class.

Etc¶ ↑

Thanks to contributors:

  • Josh Nichols

  • Michael Reinsch

  • Paul McMahon

© 2009 Dev Purkayastha, released under the MIT license