An easy bridge to integrate Ryan Grove's HTML Whitelist Sanitizer in your Rails application.
Gemfile:
gem 'sanitize-rails', require: 'sanitize/rails'
Pass the configuration to Sanitize calling Sanitize::Rails.configure in
an initializer, say config/initializers/sanitizer.rb:
Sanitize::Rails.configure(
elements: [ ... ],
attributes: { ... },
...
)
You may pass escape_entities: false if you don't want to escape
html entities. Example: Hello & World will not be changed to
Hello & World
Check out the example in the example/ directory.
ActionView sanitize helper is transparently overriden to use the Sanitize
gem.
A sanitize helper is added to ActiveRecord, that installs on create/save
callbacks that sanitize the given attributes before persisting them to the
database. Example:
app/models/foo.rb:
class Foo < ActiveRecord::Base
sanitizes :description # on save by default
sanitizes :body, on: :create
sanitizes :remarks, on: :save
end
spec/spec_helper.rb:
require 'sanitize/rails/matchers'
in spec code:
describe Post do
# Simplest variant, single field and default values
it { should sanitize_field :title }
# Multiple fields
it { should sanitize_fields :title, :body }
# Specifing both text to sanitize and expected result
it { should sanitize_field(:title).replacing('©').with('©') }
end
You should pass field names to matcher in the same way as you do with the
sanitize call in the model, otherwise sanitize method won't be found in
model.
test/test_helper.rb:
require 'sanitize/rails/test_helpers'
Sanitize::Rails::TestHelpers.setup(self,
invalid: 'some <a>string',
valid: 'some <a>string</a>'
)
your test:
assert_sanitizes Model, :field, :some_other_field
Tested with Rails 3.0 and 🆙 under Ruby 1.9.3 and 🆙.
MIT