SanitizeAttributes

This is a simple plugin for ActiveRecord models to define sanitizable attributes. When an object is saved, those attributes will be run through whatever filter you’ve defined. You can define a default filter for all sanitizations.

Sanitization only happens for non-nil attributes. (Because a nil attribute may be valid for your model, and the sanitzers should only have to worry about working with strings.)

This was made to implement anti-XSS validation. My current gem of choice is Sanitize: github.com/rgrove/sanitize/tree/master

Example

 # probably in environment.rb
 SanitizeAttributes.define_default_sanitization_method do |text|
   "PLACEHOLDER"
 end

 # app/models/nacho.rb
 class Nacho
   sanitize_attributes :foo, :bar
 end

 # app/models/burrito.rb
 class Burrito
   sanitize_attributes :baz
   sanitize_attributes :title, :body do |text|
     Sanitize.clean(text)
   end
   define_default_sanitization_method_for_class do |text|
     "ANOTHER PLACEHOLDER"
   end
 end

 # results...
 n = Nacho.create!(:foo => 'something')
 n.foo # => "PLACEHOLDER"
 b = Burrito.create!(:baz=>'<script>alert(1)</script>', :title=>'<script>alert(1)</script>')
 b.baz # => "ANOTHER PLACEHOLDER"
 b.title # => "alert(1)"
 b.body # => unprocessed; sanitzation filters are only run on non-nil values

Future Work

The following would be cool:

• allowing strings/symbols for sanitization methods, not just blocks

   Nacho.default_sanitization_method_for_class :microwave # uses Nacho.microwave
   Nacho.default_sanitization_method_for_class "Sanitize.clean"
  

Etc

© 2009 Dev Purkayastha, released under the MIT license