SafeAnchor wraps around Rails's default link_to helper and sanitize method to output always output a sanitized anchor tag.
This follows a secure-by-default principle and can be turned off by passing an optional argument keep_dirty: true
when using the link_to
helper.
Add this line to your application's Gemfile:
gem 'safe_anchor'
And then execute:
$ bundle install
Or install it yourself as:
$ gem install safe_anchor
SafeAnchor is secure-by-default.
<%= link_to "Dangerous Anchor", "javascript: alert('Boo!')" %>
# <a>Dangerous Anchor</a>
Turning off sanitization.
<%= link_to "Dangerous Anchor", "javascript: alert('Boo!')", keep_dirty: true %>
# <a keep_dirty="true" href="javascript: alert('Boo!')">Dangerous Anchor</a>
Bug reports and pull requests are welcome on GitHub at https://github.com/woodydark/safe_anchor.
The gem is available as open source under the terms of the MIT License.