devp / sanitize_attributes

Description:	Rails plugin to sanitize ActiveRecord objects when they are saved. Can work with whatever sanitization method you like. edit
Homepage:	edit
Public Clone URL:	git://github.com/devp/sanitize_attributes.git Give this clone URL to anyone. `git clone git://github.com/devp/sanitize_attributes.git`
Your Clone URL:	git@github.com:devp/sanitize_attributes.git Use this clone URL yourself. `git clone git@github.com:devp/sanitize_attributes.git`

Implemented advice from techpickles. Tests more legible with 
shoulda/mocha. Used more realistic examples for the Rdoc. Reorganized into 
modules.

devp (author)

Sat Mar 07 11:38:35 -0800 2009

commit 4182fa374fe4559c5e417549be79f9b4105ccdb9
tree 28f09f1b60ecc45601e74ec2cadbccf20ef8c371
parent 796d8f7d592b7fddd61932e21fbb06227f128f63

sanitize_attributes /

name	age	history message
MIT-LICENSE	Tue Feb 03 12:43:33 -0800 2009	initial import [devp]
README.rdoc	Sat Mar 07 11:38:35 -0800 2009	Implemented advice from techpickles. Tests more... [devp]
Rakefile	Sat Mar 07 11:38:35 -0800 2009	Implemented advice from techpickles. Tests more... [devp]
init.rb	Sat Mar 07 11:38:35 -0800 2009	Implemented advice from techpickles. Tests more... [devp]
lib/	Sat Mar 07 11:38:35 -0800 2009	Implemented advice from techpickles. Tests more... [devp]
test/	Sat Mar 07 11:38:35 -0800 2009	Implemented advice from techpickles. Tests more... [devp]

README.rdoc

SanitizeAttributes

This is a simple plugin for ActiveRecord models to define sanitizable attributes. When an object is saved, those attributes will be run through whatever filter you’ve defined. You can define a default filter for all sanitizations.

Sanitization only happens for non-nil attributes. (Because a nil attribute may be valid for your model, and the sanitzers should only have to worry about working with strings.)

This plugin was created to implement anti-XSS validation. My current gem of choice is Sanitize: github.com/rgrove/sanitize/tree/master

Example

 # probably in environment.rb
 SanitizeAttributes.default_sanitization_method = lambda do |text|
   text.gsub(/[^\w\s]/, "") # very simple, very limited
 end

 # app/models/bookmark.rb
 class Bookmark
   sanitize_attribute :sitename
 end

 # app/models/article.rb
 class Article
   default_sanitization_method_for_class = lambda do |text|
     text.gsub(/[^\w\s'".,?!]/, """) # more reasonable, for titles and such
   end

   sanitize_attributes :title, :author

   sanitize_attributes :body do |body_text|
     # This needs to be safe, renderable HTML, so let's use a real sanization tool
     # I recommend: http://github.com/rgrove/sanitize/tree/master
     Sanitize.clean(body_text)
   end
 end

 # in action...
 b = Bookmark.create(:sitename => "boston.rb!!!", :url => "http://http://bostonrb.org/")
 b.sitename # => "bostonrb"
 a = Article.create(:title => "<b>Hello</b>!", :body => "Please remove the <script>script tags</script>!")
 a.title # => "Hello!"
 a.body  # => "Please remove the script tags!"

Future Work

Things to work on in the future:

allowing strings/symbols for sanitization methods, not just blocks

 Nacho.default_sanitization_method_for_class = :microwave # uses Nacho.microwave
 Nacho.default_sanitization_method_for_class = "Sanitize.clean"

add validation helpers, if you want to flag problematic text rather than cleaning it.
class Foo
```
  validate_sanitzed :value
```
end Foo.new(:value => "abc").valid? #=> false if a sanitized copy of #value is different than the original
better functionality for subclasses. Currently, they will share sanitized attributes and sanitization methods across subclasses and the base class.

SanitizeAttributes

Example

Future Work

Etc