Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Sanitize

  • Loading branch information...
commit ed8970a6ad43f5c9e431052cdf916c7f47dafe4d 1 parent c41d95d
@jarrett authored
View
13 README.markdown
@@ -12,6 +12,9 @@ RbbCode converts BBCode to HTML. Basic usage:
RbbCode.new.convert('This is [b]BBCode[/b]')
+All HTML output will be passed through the [Sanitize](https://github.com/rgrove/sanitizeize) gem. This
+protects you against malicious HTML.
+
For the curious, the parser is built with Treetop. But you don't need to know anything about Treetop
to use RbbCode.
@@ -22,6 +25,16 @@ The constructor can accept an options hash.
To add emoticon support:
RbbCode.new(:emoticons => {':)' => 'http://example.com/path/to/your/smiley.png'})
+
+You can supply a [Sanitize config hash](https://github.com/rgrove/sanitize), which will
+be passed through verbatim to the Sanitize gem. The default Sanitize config is in
+`rbbcode/sanitize.rb`. Usage:
+
+ RbbCode.new(:sanitize_config => my_sanitize_config_hash)
+
+You can also turn Sanitize off altogether, though this is not recommended:
+
+ RbbCode.new(:sanitize => false)
## Supported BBCode features
View
12 lib/rbbcode.rb
@@ -4,7 +4,9 @@
require 'erb'
require 'rubygems'
require 'treetop'
+require 'sanitize'
require 'rbbcode/node_extensions'
+require 'rbbcode/sanitize'
class RbbCode
def self.parser_class
@@ -25,7 +27,10 @@ def self.parser_class
end
def initialize(options = {})
- @options = options
+ @options = {
+ :sanitize => true,
+ :sanitize_config => RbbCode::DEFAULT_SANITIZE_CONFIG
+ }.merge(options)
end
def convert(bb_code)
@@ -36,5 +41,10 @@ def convert(bb_code)
end
end
html
+ if @options[:sanitize]
+ Sanitize.clean(html, @options[:sanitize_config])
+ else
+ html
+ end
end
end
View
13 lib/rbbcode/sanitize.rb
@@ -0,0 +1,13 @@
+class RbbCode
+ DEFAULT_SANITIZE_CONFIG = {
+ :elements => %w[a blockquote br code del em img li p pre strong ul],
+ :attributes => {
+ 'a' => %w[href],
+ 'img' => %w[alt src]
+ },
+
+ :protocols => {
+ 'a' => {'href' => ['ftp', 'http', 'https', 'mailto', :relative]}
+ }
+ }
+end
View
33 test/sanitize_test.rb
@@ -0,0 +1,33 @@
+require File.join(File.expand_path(File.dirname(__FILE__)), 'test_helper.rb')
+
+class TestSanitize < Test::Unit::TestCase
+ include RbbCode::HTMLAssertions
+
+ def test_sanitize_custom_config
+ # Identical to RbbCode::DEFAULT_SANITIZE_CONFIG except without <strong>
+ config = {
+ :elements => %w[a blockquote br code del em img li p pre ul],
+ :attributes => {
+ 'a' => %w[href],
+ 'img' => %w[alt src]
+ },
+
+ :protocols => {
+ 'a' => {'href' => ['ftp', 'http', 'https', 'mailto', :relative]}
+ }
+ }
+ assert_converts_to(
+ '<p><em>Italic</em> but not bold.</p>',
+ '[i]Italic[/i] but not [b]bold.[/b]',
+ {:sanitize_config => config}
+ )
+ end
+
+ def test_sanitize_turned_off
+ assert_converts_to(
+ '<p><em>Italic</em> and a <span>custom span.</span></p>',
+ '[i]Italic[/i] and a <span>custom span.</span>',
+ {:sanitize => false}
+ )
+ end
+end
Please sign in to comment.
Something went wrong with that request. Please try again.