I'd really like to be able to tell Sanitize to return a Nokogiri object instead of a string. For my particular application, I need to paginate the output, and that requires a parsed DOM. There are probably other scenarios where a Nokogiri object would be needed. It seems silly to use CPU cycles writing to HTML then parsing again.

If you want, I could try to write a patch for this. I'm probably going to monkey-patch my own copy for now.

By the way, this is a great gem.

Thanks,
Jarrett

Hello

I have strange behaviour of transformer. When I trying to replace node content with non-ascii strings, sanitizer returns double-encoded to utf-8 string:

This is my transformer:

     lambda do |env|
        node      = env[:node]
         node_name = env[:node_name]
         return if node_name == 'pre'
         return if node_name == 'code'
         if !node.text?
           #text = node.text.to_s
           text = "тест"
           #text.gsub!(/\n[\n]+/u, "</p><p>")
           #text.gsub!(/\n/u, "<br />")
           node.replace(text)
         end
         {:node_whitelist => [node]}
       end

IO Code:

intext = STDIN.read()
outtext = Sanitize.clean(intext, HTMLSanitize::Config::Custom)
outlen = outtext.size()
STDOUT.write(outtext)

Output of sanitizer:

$ ./priv/html_sanitizer.rb
<p>тест
тест
</p>
ÑеÑÑ

But I expect тест output
How I can solve this problem with encodings?

Thank you

My users are frustrated that if they accidentally have a bracket tag, it removes the html.

Sanitize.clean!("test < the more love") -> "test "

I've tried adding a filter but it was already gone by the time it saw it.

    node = env[:node]
    node.content = node.content.gsub(/</,'&lt;').gsub(/>/,'&gt;') if node.text?

When i use plain Sanitize and provide a bad transformer, i get the above exception. Maybe you could raise the standard ArgumentError or the like.

Reproduce:
Sanitize.clean("<script>fail();</script>", :transformers => lambda {|env| :badtransformer })

My html is coming from a Word document, which is converted to html, rather poorly, and uses a ton of newline characters.

Is this a job for transformers? Or would a simple update allow for whitelisting these types of characters?

Thanks

Feature request from Ævar Arnfjörð Bjarmason:

My use case is that I'm calling Sanitize like this:

def clean(html)
  return Sanitize.clean(html, :elements => ['a'],
                   :attributes => {'a' => ['href']},
                   :protocols => {'a' => {'href' => ['http', 'https']}})
end

And this is the output I really want:

clean("<b>") ==> &lt;b&gt;
clean("<b><a href=\"http://example.com\">example</a>") ==> &lt;b&gt;<a href="http://example.com">example</a>

Instead Sanitize will comptetely strip the unacceptable HTML tag.

We should implement a setting to make the stripping optional.

I was testing out some xss test cases from a cheat sheet and had one example get through on a relaxed setting. https://gist.github.com/984318 is this gist of the command

>> Sanitize::VERSION
=> "1.1.0"
>> Sanitize.clean(" ")
=> " "

I expected: "&nbsp;"

Nokogiri is listed as a requirement on the readme, but it actually requires hpricot.

I don't recall this happending prior to nokogiri / libxml2.7+ but it appears
that carriage returns are now being html encoded by the clean() method:

http://gist.github.com/270293

There are comments on this here:

http://github.com/rgrove/sanitize/issues/closed/#issue/10

but no mention on whether this is by design, should be considered a bug or if
there is a workaround?

Would be interesting to compare to HTMLFilter and it would be nice if the brenchmarks were published somewhere in the project.

Case #1 - MRI (1.9.2-p290, 1.9.3-p194)

Nokogiri::VERSION   # => "1.5.0"
Sanitize.clean("a<a> b </a>") # => "a b " 

Case #2 (JRuby-1.6.7.2)

Nokogiri::VERSION   # => "1.5.3"
Sanitize.clean("a<a> b </a>") # => "a" 

I am unable to strip the contents of the <script> tags from various parts of an HTML document. Try these commands out in your console:

url = "https://github.com/rgrove/sanitize"
raw = RestClient.get( url )
a = Sanitize.clean( raw )
a = Sanitize.clean( raw, :elements => ['p'] )
a = Sanitize.clean( raw, :elements => [] )
a = Sanitize.clean( raw, Sanitize::Config::RESTRICTED )

And witness that a always contains a lot of leftover script-ese.

(note: using the rest-client gem)

No matter which method of sanitizing I use, I am left with the contents of the <script> tags which is quite annoying, I have tried using the :remove_contents => ['script'] parameter as well, to no success.

If this is pilot error on my part, please let me know. I would love to solve this.

HTML and BODY tags are always removed from string:
Sanitize.clean("

foo bar

foo bar

Sanitize.clean("<p>foo bar</p><a>some text</a>", :elements => ['html', 'body', 'p'], :remove_contents => true)
=> "<p>foo bar</p>" 

Sanitize.clean("<html><body><p>foo bar</p><a>some text</a></body></html>", :elements => ['html', 'body', 'p'], :remove_contents => true)
=> "<p>foo bar</p>" 

If you submit a field with "hello & world" sanitize is saving that in the DB as:

hello & world 

How can you whitelist the & . We want sanitize to remove all possible malicious html and JS/script tags. but we're ok allowing the ampersand.

I tried but that had no effect:

Sanitize.clean(self[column.name], :elements => %w[&])

Thanks

Nokogiri 1.4.0 is out, and it fixes a segfault that I encountered when running Sanitize on a large number of documents. Could you please test / configure the gem to work with 1.4.0. I currently get RubyGem version error: nokogiri(1.4.0 not ~> 1.3.3).

And for the record, I confirmed that Nokogiri 1.4.0 fixed my segfault issue on a pre-release Nokogiri gem that was still in the 1.3.x version series.

Using the Sanitize gem, I'm cleaning some HTML. In the href attribute of my anchor tags, I wish to parse the following:

<a href="#fn:1">1</a>

This is required for implementing footnotes using the Kramdown gem.

However, Sanitize doesn't appear to like the colon inside the href attribute. It simply outputs <a>1</a> instead, skipping the href attribute altogether.

My sanitize code looks like this:

# Setup whitelist of html elements, attributes, and protocols that are allowed.
allowed_elements = ['h2', 'a', 'img', 'p', 'ul', 'ol', 'li', 'strong', 'em', 'cite', 
  'blockquote', 'code', 'pre', 'dl', 'dt', 'dd', 'br', 'hr', 'sup', 'div']
allowed_attributes = {'a' => ['href', 'rel', 'rev'], 'img' => ['src', 'alt'], 
  'sup' => ['id'], 'div' => ['class'], 'li' => ['id']}
allowed_protocols = {'a' => {'href' => ['http', 'https', 'mailto', :relative]}}

# Clean text of any unwanted html tags.
html = Sanitize.clean(html, :elements => allowed_elements, :attributes => allowed_attributes, 
  :protocols => allowed_protocols)

Is there a way to get Sanitize to accept a colon in the href attribute?

This issue is a duplicate of this Stack Overflow question.

I'm getting a segmentation fault when running the following script. It appears to be something related to non-breaking-space parsing(???) because when I uncomment the line that gsub replaces these with regular spaces, the problem goes away.

#!/usr/bin/env ruby
require 'net/http'
require 'rubygems'
require 'sanitize'

headers,data = Net::HTTP.new("www.fcc.gov",80).get('/ftp/Bureaus/MB/Databases/cdbs/_readme.html')

# Uncomment this to fix segmentation fault
#data = data.gsub(/ /, ' ')

puts Sanitize.clean(data)

I tried to use sanitize and mechanize together in the same app, but I received the following error:

"Gem::LoadError (can't activate nokogiri (~> 1.3.3, runtime) for ["sanitize-1.1.0"], already activated nokogiri-1.4.0 for ["mechanize-0.9.3"]):"

I checked with "gem list --local" and I've got the both versions of nokogiri (1.4.0 and 1.3.3)
*** LOCAL GEMS ***
...
mechanize (0.9.3)
nokogiri (1.4.0, 1.3.3)
sanitize (1.1.0)
...

The error message only appears at the first time when I tried to run methods from the module using sanitize, it's a very simple function only executes 1 line of sanitize(Sanitize.clean(html)). After the first time the error message became this:

"MissingSourceFile (no such file to load -- sanitize):"

I'm kind off lost with this problem, it seems to me like a multiple inheritance problem, do you have any idea how to solve this?

When I run the following text:

through this function:
Sanitize.clean(text,
# Style element has no effect since the JS sterilizes it
:elements => Sanitize::Config::RELAXED[:elements].push('span', 'div', 'style'),
:attributes => Sanitize::Config::RELAXED[:attributes].merge(:all => ['style']),
:protocols => Sanitize::Config::RELAXED[:protocols]
)

I get

If I do it again, I get:

 <div>asdfa sdfasdf sdf</div>&#13;
 <style>&amp;amp;amp;amp;#13;&#13;
 div {&amp;amp;amp;amp;#13;&#13;
 background-color: red;&amp;amp;amp;amp;#13;&#13;
 }&amp;amp;amp;amp;#13;&#13;
 </style>

great tool tho. everything else works super. :)

>> Sanitize::VERSION
=> "1.1.0"
>> Sanitize.clean('', :elements => "img", :attributes => {:all => ["src"] })
=> "<img src="http://example.org/image.png">"

I expected: <img src="http://example.org/image.png" />

This should explain it all for you: http://pastie.org/803874 Let me know if I can be of any further help.

Hi and thanks for a great library!

I am experiencing what might be a bug, here is a failing test as a gist: http://gist.github.com/245526
I ran it with the specs, for me "keep br and a tags, v1" will fail because Sanitize strips the
tag.

Would be happy if you could have a look at it and maybe help me. As of now I'm running:
sanitize 1.2.0.dev.20091104
nokogiri 1.4.0
Ubuntu Karmic Koala (ie, the libxml/xslt libs and whatnot thats in Karmic)

I had the same error with Sanitize 1.1.0.

There are some tags that doesn't work if empty or if not all parameters have been filled, for example, I have:

<a></a>
<img> or <img />

and so on...
I want to be able to just wipe those out, as they are "non-functional" tags if they don't have all the attributes correctly filled.
The came from a "MS Word" copy and pasted text, after some sanitization.

Hi,
could you tell me please - how to add to allowed tags list tags with prefixes, for example

 <prefix:tag attr = "something" />

I have tried, but its not working :(

I couldn't get the wiki to let me edit it, so here it is:

T_YOUTUBE_IFRAME = lambda do |env|
node = env[:node]
return nil unless env[:node_name] == 'iframe'

if node['src'] =~ /^http:\/\/www.youtube.com\/embed\//
  node['src'] += "?webkitfix"  # needed to get around webkit's XSS protection

  return {:node_whitelist => [node]}
end

end

<ul><li>one</li><ul><li>two</li></ul></ul><ol><li>one</li><ol><ol><ul><li>ok<br></li></ul></ol></ol></ol>

becomes

• one
• two

1. one

• ok
  

This might be a bug with Nokogiri though

There must be something that I am missing becase I have tried this bit of malicious HTML on your site: http://sanitize.pieisgood.org/ and the Sanitize.clean seems to work but if I do it in a ruby script it does not. Can you please see what could I be doing wrong? I am trying to sanitize this: http://gist.github.com/206679

Cheers.

andHapp

If there is a comment html is stripped when it should be kept.

Here is an example of the issue in an irb session with a git clone from 11 Jan, 2011:

irb --> text = "<!-- comment --><b>Hello</b>"
    ==> "<!-- comment --><b>Hello</b>"

irb --> Sanitize.clean(text)
    ==> "Hello"

irb --> Sanitize.clean(text, Sanitize::Config::RESTRICTED)
    ==> "Hello"

irb --> Sanitize.clean(text, Sanitize::Config::BASIC)
    ==> "Hello"

irb --> Sanitize.clean(text, Sanitize::Config::RELAXED)
    ==> "Hello"

Add this to the 'strings' cases in the test file to add tests:
:raw_comment_with_html => {
:html => 'Hello',
:default => 'Hello',
:restricted => 'Hello',
:basic => 'Hello',
:relaxed => 'Hello'
}

I'm at a local Ruby group meeting, and the presenter is saying that he had to strip out HTML comments using a regular expression before passing the result to sanitize. That shouldn't be necessary.

There's an example use case here: http://wonko.com/post/sanitize
It's actually very close to the Readme example, but differs a bit.

html = '<b><a href="http://foo.com/">foo</a></b><img src="http://foo.com/bar.jpg" />'
Sanitize.clean(html, Sanitize::Config::RELAXED)
# => '<b><a href="http://foo.com/">foo</a></b><img src="http://foo.com/bar.jpg" />'

Please note the closing slash on the image tag - that's what I would actually expect as the result.

In reality the same example cuts out that slash:

html = '<b><a href="http://foo.com/">foo</a></b><img src="http://foo.com/bar.jpg" />'
Sanitize.clean(html, Sanitize::Config::RELAXED)
#=> '<b><a href="http://foo.com/">foo</a></b><img src="http://foo.com/bar.jpg">'

Same happens to slashes in br tags for example.
Is there a way to keep these slashes?

Thank you.

YouTube and Vimeo embeds through iframe:

@@transformer = lambda do |env|
    node      = env[:node]
    node_name = env[:node_name]

    # Don't continue if this node is already whitelisted or is not an element.
    return if env[:is_whitelisted] || !node.element?

    # We look for <iframe> nodes
    return unless node_name == 'iframe'

    url = node['src']

    # Verify that the video URL is actually a valid YouTube or Vimeo video URL.
    return unless (url =~ /\Ahttp:\/\/(?:www\.)?youtube\.com\/embed\// ||
                   url =~ /\Ahttp:\/\/(?:(www|player)\.)?vimeo\.com\/video\//)

    Sanitize.clean_node!(node, {
      :elements => %w[iframe],

      :attributes => {
        'iframe' => ['src', 'width', 'height', 'allowfullscreen']
      },

      :add_attributes => {
        'iframe' => {'frameborder' => '0'}
      }
    })

    # Now that we're sure that this is a valid YouTube or Vimeo embed
    {:node_whitelist => [node]}
  end

Would you be open to a patch that would allow Sanitize.clean! to return the current Nokogiri document? In my current use case I end up re-parsing the string back into Nokogiri unnecessarily.

Just thought I'd check to see if you had interest. If so I'd be happy to put something together.

Cheers, and thanks for a great tool.

Alex

I have the following HTML

<a href="/pants" target="foo"><b>ipsum</b></a><br /><em><strong>dolor</strong></em> <i>amet</i> <img src="http://foo" height="20" width="20" align="center" alt="foo" /> <small>H<sub>2</sub>0</small> 2<sup>nd</sup> <u>dolor</u>

When I run it through Sanitize, I expect the following output:

<a href="/pants" target="foo"><b>ipsum</b></a><br><em><strong>dolor</strong></em> <i>amet</i> <img src="http://foo" height="20" width="20" align="center" alt="foo"> <small>H<sub>2</sub>0</small> 2<sup>nd</sup> <u>dolor</u>

But I get this:

<a href="/pants" target="foo"><b>ipsum</b></a><br><em><strong>dolor</strong></em> <i>amet</i> <img src="http://foo" height="20" width="20" align="center" alt="foo"><small>H<sub>2</sub>0</small> 2<sup>nd</sup><u>dolor</u>

The difference is that the space after the <img> tag as well as the space after the </sup> tag have been removed. It doesn't seem to matter whether I specify :html or :xhtml as the output. Here is the config that I am using:

# Use a custom set of options for the Sanitize gem
SANITIZE_CONFIG = {
  # HTML elements to allow. By default, no elements are allowed (which means
  # that all HTML will be stripped).
  :elements => %w[a b br em i img small strong sub sup u],

  # HTML attributes to allow in specific elements. By default, no attributes
  # are allowed.
  :attributes => {
    :all => [],
    'a' => ['href', 'target', 'rel'],
    'img' => ['align', 'alt', 'height', 'src', 'width']
  },

  # URL handling protocols to allow in specific attributes. By default, no
  # protocols are allowed. Use :relative in place of a protocol if you want
  # to allow relative URLs sans protocol.
  :protocols => {
    'a' => {'href' => ['ftp', 'http', 'https', :relative]},
    'img' => {'src' => ['http', 'https', :relative]}
  },

  # Whether or not to allow HTML comments. Allowing comments is strongly
  # discouraged, since IE allows script execution within conditional
  # comments.
  :allow_comments => false,

  # HTML attributes to add to specific elements. By default, no attributes
  # are added.
  :add_attributes => {},

  # Output format. Supported formats are :html and :xhtml. Default is :html.
  :output => :html,

  # Character encoding to use for HTML output. Default is 'utf-8'.
  :output_encoding => 'utf-8',

  # If this is true, Sanitize will remove the contents of any filtered
  # elements in addition to the elements themselves. By default, Sanitize
  # leaves the safe parts of an element's contents behind when the element
  # is removed.
  #
  # If this is an Array of element names, then only the contents of the
  # specified elements (when filtered) will be removed, and the contents of
  # all other filtered elements will be left behind.
  :remove_contents => false,

  # Transformers allow you to filter or alter nodes using custom logic. See
  # README.rdoc for details and examples.
  :transformers => [],

  # By default, transformers perform depth-first traversal (deepest node
  # upward). This setting allows you to specify transformers that should
  # perform breadth-first traversal (top node downward).
  :transformers_breadth => [],

  # Elements which, when removed, should have their contents surrounded by
  # space characters to preserve readability. For example,
  # `foo<div>bar</div>baz` will become 'foo bar baz' when the <div> is
  # removed.
  :whitespace_elements => %w[
  address article aside blockquote br dd div dl dt footer h1 h2 h3 h4 h5
  h6 header hgroup hr li nav ol p pre section ul
  ]
}

Hey

I just ran into an issue where I'd like to allow users to pass the style attribute to a div or span

<span style="font-weight:bold"></span>
<div style="text-align:center"></div>

However, I would like to whitelist the style attributes that they can pass.

This doesn't seem possible with the current setup. Might you be willing to add another setting for allowed style attributes similar to what you are doing with the protocols setting?

Hello Ryan,
Seems to be related to Nokogiri behaviour, I can't remove comments inside <style> nodes (HTML code produced by Microsoft Word) :

>> Sanitize.clean("<p><!-- test --></p>")
=> ""
>> Sanitize.clean("<style><!-- test --></style>")
=> "&lt;!-- test --&gt;"

Comments in <style> nodes aren't removed. Nokogiri treats it as CDATA node, instead of Comment (that's probably regular) :

<Nokogiri::XML::CDATA:0x83194bb8 "<!-- test -->">

I could remove this <style> node with a Transformer. Any better idea ?

Emilien

http://ha.ckers.org/xss.html

Tried a random one on:

http://sanitize.pieisgood.org/

With relaxed settings:

<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>
<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>
<A HREF="//google">XSS</A>
<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>
<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-

Been trying to use sanitize with nokogiri 1.5.0.beta.4, though bundler fails because it can't find a compatible nokogiri version once 1.5 is enabled. So, might it be possible to relax the dependency on nokogiri from ~> 1.4.4 to ~> 1.4 and thus including all 1.x point releases?

This happens when running Sanitize.clean(string, Sanitize::Config::BASIC)

Has anyone ever had this problem? Any idea how to fix this?

Thanks

It would be nice to see Sanitize support cleansing whitespace in addition to html.

html = "some\t\ttext\t\nwith tabs    and\n\n newlines"
expected_result = "some text with tabs and newlines"  # nbsp replaced w/ space
actual_result = "some\t\ttext\t\nwith tabs    and\n\n newlines"

even if I use your example it didn't work:

>> html        = '<div><span>foo</span></div>'
=> "<div><span>foo</span></div>"
>>   transformer = lambda{|env| puts env[:node].name }
=> #<Proc:0x0000000101271968@(irb):3>
>> 
?>   # Prints "span", then "div". 
?>   Sanitize.clean(html, :transformers => transformer)
=> "foo"

I'm using the Ruby 1.8.7 default installation on OS X 10.6 and the newest Version of sanitize and its dependencies

Hello guys,
sanitize is really amazing, but i don't get to work to display vimeo/youtube video.
Other elements work fine.

tried it on this way:
http://pastie.org/3239118

We're trying to convert our home-grown sanitizer to use Sanitize instead and seeing a bunch of failing edge cases.

html = "Hello<br>Fred.<br /><p class=\"test\" >How's it\n\n going?</p>Fine. Thank you."
expected_result = "Hello Fred. How's it going? Fine. Thank you."
actual_result = "HelloFred.How's it\n\n going?Fine. Thank you."

Today I ran into an unusual error; I'm using sanitize on a substring in my rails project, like this:

Sanitize.clean project.description[0,150], Sanitize::Config::BASIC

On one particular project, the 150th character was a tick mark. This generated an error:

"premature end of regular expression"

I resolved this by deleting a character in the description, so that the 150th character was a letter.

I am not able to test on 1.2.0 and I couldn't find your change log to see if the problem has already been resolved. (I'm new to github).

nokogiri (1.3.3)
sanitize (1.1.0)

I have a textarea where people sometimes paste HTML documents. How can I remove the head section and just leave the body section? Here's a snippet from my config:

:transformers => [
  lambda { |env|
    env[:node].remove if env[:node].name == 'head'
    {}
  },
]

But when I try this out I get these results:

>> html = '<html><head>assdfd</head><body><p>hi</p></body></html>'
>> Sanitize.clean html, Sanitize::Config::MyConfig
=> "<p>assdfd</p><p>hi</p>"

But I would like to get <p>hi</p>. Any suggestions?

Thanks and regards,
Andy

I don't want sanitize to replace apostrophes and ampersands with their HTML equivalents. Is there any way to disable that?

Why whith text = "soit 52 kcal, protéines < 0,1g, glucides : "

Sanitize.clean(text) returns "soit 52 kcal, protéines" ?

Hi, just tried to use this gem to sanitize web page html source before indexing it, but this makes indexing process very and very slow:

Without sanitize:

Benchmark.measure { SiteSource.reindex }
 =>   6.090000   0.220000   6.310000 (  8.211175)

With Sanitize (Sanitize.clean(page_source, :remove_contents => %w[script style])):

Benchmark.measure { SiteSource.reindex }
 => 120.590000   0.230000 120.820000 (122.315429)

It's also noticeable slow even when I am trying to sanitize single html string from rails console:

1.9.3p0 :009 > Benchmark.measure { Sanitize.clean(SiteSource.last.data["source"]) }
 =>   2.030000   0.000000   2.030000 (  2.023783)

1.9.3p0 :010 > Benchmark.measure { page_source }
 =>   2.030000   0.000000   2.030000 (  2.038710)

1.9.3p0 :011 > Benchmark.measure { page_source }
 =>   0.270000   0.000000   0.270000 (  0.271550)

1.9.3p0 :012 > Benchmark.measure { page_source }
 =>   2.060000   0.060000   2.120000 (  2.122617)

1.9.3p0 :013 > Benchmark.measure { page_source }
 =>   0.230000   0.000000   0.230000 (  0.237719)

Weird that time is so different.

I'm using a modified version of the youtube filter to allow grooveshark embeds. These have a url like this in them, which sanitize is messing up despite my best efforts.
hostname=cowbell.grooveshark.com&widgetID=25096656&style=metal&p=0 - the &'s are being replaced with & which breaks the embed

full details:
https://gist.github.com/998274

Update:
Looks like the &s weren't my only problem, as safari/chrome get upset about a url being posted in an embed and then shown on the next page, and won't show it for security reasons. But refreshing it will show it, so not sure what to do about it.