Skip to content

SafeAnchor ensures all link_to helper in Rails are sanitized by default

License

Notifications You must be signed in to change notification settings

WoodyDark/safe_anchor

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SafeAnchor

This is experimental, try at your own risk.

SafeAnchor wraps around Rails's default link_to helper and sanitize method to output always output a sanitized anchor tag.

This follows a secure-by-default principle and can be turned off by passing an optional argument keep_dirty: true when using the link_to helper.

Installation

Add this line to your application's Gemfile:

gem 'safe_anchor'

And then execute:

$ bundle install

Or install it yourself as:

$ gem install safe_anchor

Usage

SafeAnchor is secure-by-default.

<%= link_to "Dangerous Anchor", "javascript: alert('Boo!')" %>
# <a>Dangerous Anchor</a>

Turning off sanitization.

<%= link_to "Dangerous Anchor", "javascript: alert('Boo!')", keep_dirty: true %>
# <a keep_dirty="true" href="javascript: alert('Boo!')">Dangerous Anchor</a>

Contributing

Bug reports and pull requests are welcome on GitHub at https://github.com/woodydark/safe_anchor.

License

The gem is available as open source under the terms of the MIT License.

About

SafeAnchor ensures all link_to helper in Rails are sanitized by default

Resources

License

Stars

Watchers

Forks

Packages