Skip to content
/ sanitize_attributes Public

Rails plugin to sanitize ActiveRecord objects when they are saved. Can work with whatever sanitization method you like.

License

MIT license
10 stars 5 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

devp/sanitize_attributes

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

15 Commits
lib
lib
 
 
test
test
 
 
.gitignore
.gitignore
 
 
Gemfile
Gemfile
 
 
MIT-LICENSE
MIT-LICENSE
 
 
README.rdoc
README.rdoc
 
 
Rakefile
Rakefile
 
 
init.rb
init.rb
 
 
sanitize_attributes.gemspec
sanitize_attributes.gemspec
 
 

Repository files navigation

SanitizeAttributes

This is a simple plugin for ActiveRecord models to define sanitizable attributes. When an object is saved, those attributes will be run through whatever filter you’ve defined. You can define a default filter for all sanitizations.

Sanitization only happens for non-nil attributes. (Because a nil attribute may be valid for your model, and the sanitzers should only have to worry about working with strings.)

This plugin was created to implement anti-XSS validation. My gem of choice is Sanitize: github.com/rgrove/sanitize/tree/master

For Rails 3, add this line to your Gemfile:

gem 'sanitize_attributes', :git => "git@github.com:devp/sanitize_attributes.git"

For Rails 2.3, it should work when installed as a plugin:

./script/plugin install git@github.com:devp/sanitize_attributes.git

Example 

# config/initializers/sanitize_attributes.rb
SanitizeAttributes.default_sanitization_method = lambda do |text|
  text.gsub(/[^\w\s]/, "") # very simple, very limited
end

# app/models/bookmark.rb
class Bookmark
  sanitize_attributes :sitename
end

# app/models/article.rb
class Article   
  sanitize_attributes :title, :author

  sanitize_attributes :body do |body_text|
    # This needs to be safe, renderable HTML, so let's use a real sanization tool
    # I recommend: http://github.com/rgrove/sanitize/tree/master
    Sanitize.clean(body_text)
  end
end 

Article.default_sanitization_method_for_class = lambda do |text|
  text.gsub(/[^\w\s\'".,?!]/, "") # more reasonable, for titles and such
end

# in action...
b = Bookmark.create(:sitename => "boston.rb!!!", :url => "http://http://bostonrb.org/")
b.sitename # => "bostonrb"
a = Article.create(:title => "<b>Hello</b>!", :body => "Please remove the <script>script tags</script>!")
a.title # => "Hello!"
a.body  # => "Please remove the script tags!"

Future Work

Things to work on in the future:

  • allowing strings/symbols for sanitization methods, not just blocks

    Nacho.default_sanitization_method_for_class = :microwave # uses Nacho.microwave
Nacho.default_sanitization_method_for_class = "Sanitize.clean"

  • add validation helpers, if you want to flag problematic text rather than cleaning it.

    class Foo

    validate_sanitized :value

    end Foo.new(:value => “abc”).valid? #=> false if a sanitized copy of #value is different than the original

  • better functionality for subclasses. Currently, they will share sanitized attributes and sanitization methods across subclasses and the base class.

Etc

Thanks to contributors:

  • Josh Nichols

  • Michael Reinsch

  • Paul McMahon

© 2009 Dev Purkayastha, released under the MIT license

About

Rails plugin to sanitize ActiveRecord objects when they are saved. Can work with whatever sanitization method you like.

Resources

Readme

License

MIT license
Activity

Stars

10 stars

Watchers

4 watching

Forks

5 forks
Report repository

Releases

2 tags

Packages

No packages published

Languages