Skip to content
Rails plugin to sanitize ActiveRecord objects when they are saved. Can work with whatever sanitization method you like.
Find file
Fetching latest commit…
Cannot retrieve the latest commit at this time.



This is a simple plugin for ActiveRecord models to define sanitizable attributes. When an object is saved, those attributes will be run through whatever filter you've defined. You can define a default filter for all sanitizations.

Sanitization only happens for non-nil attributes. (Because a nil attribute may be valid for your model, and the sanitzers should only have to worry about working with strings.)

This plugin was created to implement anti-XSS validation. My gem of choice is Sanitize:

For Rails 3, add this line to your Gemfile:

gem 'sanitize_attributes', :git => ""

For Rails 2.3, it should work when installed as a plugin:

./script/plugin install


# config/initializers/sanitize_attributes.rb
SanitizeAttributes.default_sanitization_method = lambda do |text|
  text.gsub(/[^\w\s]/, "") # very simple, very limited

# app/models/bookmark.rb
class Bookmark
  sanitize_attributes :sitename

# app/models/article.rb
class Article   
  sanitize_attributes :title, :author

  sanitize_attributes :body do |body_text|
    # This needs to be safe, renderable HTML, so let's use a real sanization tool
    # I recommend: 

Article.default_sanitization_method_for_class = lambda do |text|
  text.gsub(/[^\w\s\'".,?!]/, "") # more reasonable, for titles and such

# in action...
b = Bookmark.create(:sitename => "boston.rb!!!", :url => "http://")
b.sitename # => "bostonrb"
a = Article.create(:title => "<b>Hello</b>!", :body => "Please remove the <script>script tags</script>!")
a.title # => "Hello!"
a.body  # => "Please remove the script tags!"

Future Work

Things to work on in the future:

  • allowing strings/symbols for sanitization methods, not just blocks

    Nacho.default_sanitization_method_for_class = :microwave # uses Nacho.microwave
    Nacho.default_sanitization_method_for_class = "Sanitize.clean"
  • add validation helpers, if you want to flag problematic text rather than cleaning it.

    class Foo

    validate_sanitized :value

    end => “abc”).valid? #=> false if a sanitized copy of #value is different than the original

  • better functionality for subclasses. Currently, they will share sanitized attributes and sanitization methods across subclasses and the base class.


Thanks to contributors:

  • Josh Nichols

  • Michael Reinsch

  • Paul McMahon

© 2009 Dev Purkayastha, released under the MIT license

Something went wrong with that request. Please try again.