Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
HTML Sanitizer based on Nokogiri
Ruby JavaScript
Tag: v0.2.0

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
benchmark
lib
test
.gitignore
CHANGELOG.rdoc
MIT-LICENSE.txt
Manifest.txt
README.rdoc
Rakefile
TODO.rdoc
init.rb

README.rdoc

Loofah

DESCRIPTION

Loofah is an HTML sanitizer. It will always fix broken markup, but can also sanitize unsafe tags in a few different ways, and transform the markup for storage or display.

It's built on top of Nokogiri and libxml2, so it's fast. And it uses html5lib's whitelist, so it most likely won't make your codes less secure.

(These statements have not been evaluated by Internet Experts.)

This library was formerly known as Dryopteris.

FEATURES

  • Strip unsafe tags, leaving behind only the inner text.

  • Prune unsafe tags and their subtrees, removing all traces that they ever existed.

  • Escape unsafe tags and their subtrees, leaving behind lots of < and > entities.

  • Whitewash the markup, removing all attributes and namespaced nodes.

  • Format the markup as plain text.

  • ActiveRecord extension.

  • 99 44/100 % Tenderlove-free!

SYNOPSIS

For a full explanation, see the documentation for Loofah.

require 'loofah'

unsafe_html = "ohai! <div>a div is safe</div> <script>but script is not</script>"

Loofah.scrub_fragment(unsafe_html, :prune).to_s  # => "ohai! <div>div is safe</div> "

OR

doc = Loofah.fragment(unsafe_html)  # returns a Nokogiri document ...
doc.scrub!(:prune)                  # ... with one extra method
doc.to_s                            # => "ohai! <div>div is safe</div> "
doc.text                            # => "ohai! div is safe "

ACTIVERECORD EXTENSION

# config/environment.rb
require 'loofah/active_record'

# db/schema.rb
create_table "posts" do |t|
  t.string  "title"
  t.string  "body"
end

# app/model/post.rb
class Post < ActiveRecord::Base
  html_fragment :body, :scrub => :prune  # scrubs 'body' in a before_save
end

REQUIREMENTS

  • ruby 1.8 or 1.9

  • Nokogiri >= 1.3.3

INSTALLATION

Unsurprisingly:

  • gem install loofah

SUPPORT

The bug tracker is available here:

You can also try the Nokogiri mailing list:

And the IRC channel is #nokogiri on freenode.

RELATED LINKS

AUTHORS

Featuring code contributed by:

  • Aaron Patterson

  • John Barnette

  • Josh Owens

  • Paul Dix

LICENSE

The MIT License

Copyright © 2009 Mike Dalessio, Bryan Helmkamp

See MIT-LICENSE.txt in this directory.

Something went wrong with that request. Please try again.