Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Rails plugin to sanitize ActiveRecord objects when they are saved. Can work with whatever sanitization method you like.

branch: master
README.rdoc

SanitizeAttributes

This is a simple plugin for ActiveRecord models to define sanitizable attributes. When an object is saved, those attributes will be run through whatever filter you've defined. You can define a default filter for all sanitizations.

Sanitization only happens for non-nil attributes. (Because a nil attribute may be valid for your model, and the sanitzers should only have to worry about working with strings.)

This plugin was created to implement anti-XSS validation. My gem of choice is Sanitize: github.com/rgrove/sanitize/tree/master

For Rails 3, add this line to your Gemfile:

gem 'sanitize_attributes', :git => "git@github.com:devp/sanitize_attributes.git"

For Rails 2.3, it should work when installed as a plugin:

./script/plugin install git@github.com:devp/sanitize_attributes.git

Example

# config/initializers/sanitize_attributes.rb
SanitizeAttributes.default_sanitization_method = lambda do |text|
  text.gsub(/[^\w\s]/, "") # very simple, very limited
end

# app/models/bookmark.rb
class Bookmark
  sanitize_attributes :sitename
end

# app/models/article.rb
class Article   
  sanitize_attributes :title, :author

  sanitize_attributes :body do |body_text|
    # This needs to be safe, renderable HTML, so let's use a real sanization tool
    # I recommend: http://github.com/rgrove/sanitize/tree/master 
    Sanitize.clean(body_text)
  end
end 

Article.default_sanitization_method_for_class = lambda do |text|
  text.gsub(/[^\w\s\'".,?!]/, "") # more reasonable, for titles and such
end

# in action...
b = Bookmark.create(:sitename => "boston.rb!!!", :url => "http://http://bostonrb.org/")
b.sitename # => "bostonrb"
a = Article.create(:title => "<b>Hello</b>!", :body => "Please remove the <script>script tags</script>!")
a.title # => "Hello!"
a.body  # => "Please remove the script tags!"

Future Work

Things to work on in the future:

  • allowing strings/symbols for sanitization methods, not just blocks

    Nacho.default_sanitization_method_for_class = :microwave # uses Nacho.microwave
    Nacho.default_sanitization_method_for_class = "Sanitize.clean"
  • add validation helpers, if you want to flag problematic text rather than cleaning it.

    class Foo

    validate_sanitized :value

    end Foo.new(:value => “abc”).valid? #=> false if a sanitized copy of #value is different than the original

  • better functionality for subclasses. Currently, they will share sanitized attributes and sanitization methods across subclasses and the base class.

Etc

Thanks to contributors:

  • Josh Nichols

  • Michael Reinsch

  • Paul McMahon

© 2009 Dev Purkayastha, released under the MIT license

Something went wrong with that request. Please try again.