technoweenie / mephisto fork watch download tarball
public
Fork of halorgium/mephisto
Description: A mirror of the mephisto code-base
Homepage: http://mephistoblog.com/
Clone URL: git://github.com/technoweenie/mephisto.git
Click here to lend your support to: mephisto and make a donation at www.pledgie.com !
mephisto / vendor / plugins / white_list
name age
history
message
..
file README Mon Nov 27 10:32:27 -0800 2006 update white list plugin [technoweenie]
file Rakefile Sun Sep 24 21:50:10 -0700 2006 add white list protection for comments [technoweenie]
file init.rb Sun Sep 24 21:50:10 -0700 2006 add white list protection for comments [technoweenie]
directory lib/ Tue Jan 30 08:25:30 -0800 2007 massive plugin update, piston++ [technoweenie]
directory test/ Tue Jan 30 08:25:30 -0800 2007 massive plugin update, piston++ [technoweenie]
README
WhiteList
=========

This White Listing helper will html encode all tags and strip all attributes that aren't specifically allowed.  
It also strips href/src tags with invalid protocols, like javascript: especially.  It does its best to counter any
tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters.  Check out
the extensive test suite.

  <%= white_list @article.body %>

You can add or remove tags/attributes if you want to customize it a bit.

Add table tags
  
  WhiteListHelper.tags.merge %w(table td th)

Remove tags
  
  WhiteListHelper.tags.delete 'div'

Change allowed attributes

  WhiteListHelper.attributes.merge %w(id class style)

white_list accepts a block for custom tag escaping.  Shown below is the default block that white_list uses if none is 
given.
The block is called for all bad tags, and every text node.  node is an instance of HTML::Node (either HTML::Tag or 
HTML::Text).  
bad is nil for text nodes inside good tags, or is the tag name of the bad tag.  

  <%= white_list(@article.body) { |node, bad| white_listed_bad_tags.include?(bad) ? nil : node.to_s.gsub(/</, '&lt;') } 
  %>