vjt / sanitize-rails Goto Github PK

View Code? Open in Web Editor NEW

20.0 3.0 13.0 55 KB

Sanitize gem bridge and helpers for Rails Applications

License: MIT License

Ruby 100.00%

sanitize-rails's Introduction

Sanitize-Rails - sanitize .. on Rails.

An easy bridge to integrate Ryan Grove's HTML Whitelist Sanitizer in your Rails application.

Installation

Gemfile:

gem 'sanitize-rails', require: 'sanitize/rails'

Configuration

Pass the configuration to Sanitize calling Sanitize::Rails.configure in an initializer, say config/initializers/sanitizer.rb:

Sanitize::Rails.configure(
  elements:   [ ... ],
  attributes: { ... },
  ...
)

You may pass escape_entities: false if you don't want to escape html entities. Example: Hello & World will not be changed to Hello & World

Check out the example in the example/ directory.

Usage

ActionView sanitize helper is transparently overriden to use the Sanitize gem.

A sanitize helper is added to ActiveRecord, that installs on create/save callbacks that sanitize the given attributes before persisting them to the database. Example:

app/models/foo.rb:

class Foo < ActiveRecord::Base
  sanitizes :description # on save by default

  sanitizes :body,    on: :create
  sanitizes :remarks, on: :save
end

Testing

RSpec

spec/spec_helper.rb:

require 'sanitize/rails/matchers'

in spec code:

describe Post do
  # Simplest variant, single field and default values
  it { should sanitize_field :title }

  # Multiple fields
  it { should sanitize_fields :title, :body }

  # Specifing both text to sanitize and expected result
  it { should sanitize_field(:title).replacing('&copy;').with('©') }
end

You should pass field names to matcher in the same way as you do with the sanitize call in the model, otherwise sanitize method won't be found in model.

Test::Unit

test/test_helper.rb:

require 'sanitize/rails/test_helpers'

Sanitize::Rails::TestHelpers.setup(self,
  invalid: 'some <a>string',
  valid:   'some <a>string</a>'
)

your test:

assert_sanitizes Model, :field, :some_other_field

Compatibility

Tested with Rails 3.0 and 🆙 under Ruby 1.9.3 and 🆙.

License

MIT

😃 Have fun!

sanitize-rails's People

Contributors

Stargazers

Watchers

Forkers

earnold michaelglass aamir-nazir saifuddin damien kiranh fabn jaygen pywebdesign tbprojects jlsync selleo huibin

sanitize-rails's Issues

Sanitize all text/string fields by default

Would be nice to have the option to sanitize all relevant fields automatically without defining each one. Similar to this gem:
https://github.com/nagybence/railhead_sanitize

ActionView#sanitize helper raises NoMethodError when passed nil

A commit I introduced a while back seems to have caused a bug: Normally, when you pass a ActionView helper a nil value, nil is returned. However, sanitize now raises a NoMethodError when passed nil values.

Matchers

Hi,

Thanks for creating this sanitize-rails gem! I'm using it with a lot of success in a project I'm currently working on.

Here's a gist I've put together for creating matchers:

https://gist.github.com/1179448

Would you be interested at all in adding this to the project? If so, I'll hack it into my fork and send a pull request.

Thanks again,

Evan

multiple configurations

Does this gem support different sanitization configurations on different fields? It looks like it supports only one global configuration.

License missing from gemspec

Some companies will only use gems with a certain license.
The canonical and easy way to check is via the gemspec
via e.g.

spec.license = 'MIT'
# or
spec.licenses = ['MIT', 'GPL-2']

There is even a License Finder to help companies ensure all gems they use
meet their licensing needs. This tool depends on license information being available in the gemspec.
Including a license in your gemspec is a good practice, in any case.

How did I find you?

I'm using a script to collect stats on gems, originally looking for download data, but decided to collect licenses too,
and make issues for missing ones as a public service :)
https://gist.github.com/bf4/5952053#file-license_issue-rb-L13 So far it's going pretty well

New version of sanitize

Unable to activate sanitize-rails-0.9.1, because sanitize-3.0.0 conflicts with sanitize (~> 2.0) (Gem::LoadError)

Mark cleaned strings as HTML safe

First off, thanks for putting this gem together @vjt! It saved me a good day of work integrating the sanitize gem into my employer's codebase.

Anyway, back on topic: I'd like to introduce a change to sanitize-rails that would automatically convert all cleaned strings into a SafeBuffer. This would mark any cleaned text/attributes as HTML safe and prevent already cleaned text from being escaped a second time by default when rendering said text in rails views.

Would a pull request I make for this be accepted? I notice there aren't any tests on this gem yet, so I can introduce the beginnings of a test suite with this feature as well.

"SanitizeFieldsMatcher implements a legacy RSpec matcher protocol"

When using sanitize-rails with RSpec 3.1.0, I get this warning:

Deprecation Warnings:

--------------------------------------------------------------------------------
Sanitize::Rails::Matchers::SanitizeFieldsMatcher implements a legacy RSpec matcher
protocol. For the current protocol you should expose the failure messages
via the `failure_message` and `failure_message_when_negated` methods.
(Used from /Volumes/Customer/apps/application/spec/models/my_spec.rb:5:in `block (2 levels) in <top (required)>')
--------------------------------------------------------------------------------