SanitizeAttributes¶ ↑
This is a simple plugin for ActiveRecord models to define sanitizable attributes. When an object is saved, those attributes will be run through whatever filter you’ve defined. You can define a default filter for all sanitizations.
Sanitization only happens for non-nil attributes. (Because a nil attribute may be valid for your model, and the sanitzers should only have to worry about working with strings.)
This plugin was created to implement anti-XSS validation. My gem of choice is Sanitize: github.com/rgrove/sanitize/tree/master
For Rails 3, add this line to your Gemfile:
gem 'sanitize_attributes', :git => "git@github.com:devp/sanitize_attributes.git"
For Rails 2.3, it should work when installed as a plugin:
./script/plugin install git@github.com:devp/sanitize_attributes.git
Example¶ ↑
# config/initializers/sanitize_attributes.rb SanitizeAttributes.default_sanitization_method = lambda do |text| text.gsub(/[^\w\s]/, "") # very simple, very limited end # app/models/bookmark.rb class Bookmark sanitize_attributes :sitename end # app/models/article.rb class Article sanitize_attributes :title, :author sanitize_attributes :body do |body_text| # This needs to be safe, renderable HTML, so let's use a real sanization tool # I recommend: http://github.com/rgrove/sanitize/tree/master Sanitize.clean(body_text) end end Article.default_sanitization_method_for_class = lambda do |text| text.gsub(/[^\w\s\'".,?!]/, "") # more reasonable, for titles and such end # in action... b = Bookmark.create(:sitename => "boston.rb!!!", :url => "http://http://bostonrb.org/") b.sitename # => "bostonrb" a = Article.create(:title => "<b>Hello</b>!", :body => "Please remove the <script>script tags</script>!") a.title # => "Hello!" a.body # => "Please remove the script tags!"
Future Work¶ ↑
Things to work on in the future:
-
allowing strings/symbols for sanitization methods, not just blocks
Nacho.default_sanitization_method_for_class = :microwave # uses Nacho.microwave Nacho.default_sanitization_method_for_class = "Sanitize.clean"
-
add validation helpers, if you want to flag problematic text rather than cleaning it.
class Foo
validate_sanitized :value
end Foo.new(:value => “abc”).valid? #=> false if a sanitized copy of #value is different than the original
-
better functionality for subclasses. Currently, they will share sanitized attributes and sanitization methods across subclasses and the base class.
Etc¶ ↑
Thanks to contributors:
-
Josh Nichols
-
Michael Reinsch
-
Paul McMahon
© 2009 Dev Purkayastha, released under the MIT license