Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Objectified version of Technoweenie's white_list plugin for Rails. Implemented as a class, not as a helper.

branch: master

This branch is 0 commits ahead and 0 commits behind master

Fetching latest commit…

Cannot retrieve the latest commit at this time

README
WhiteList
=========

This White Listing helper will html encode all tags and strip all attributes that aren't specifically allowed.  
It also strips href/src tags with invalid protocols, like javascript: especially.  It does its best to counter any
tricks that hackers may use, like throwing in unicode/ascii/hex values to get past the javascript: filters.  Check out
the extensive test suite.

  <%= white_list @article.body %>

You can add or remove tags/attributes if you want to customize it a bit.

Add table tags
  
  WhiteListHelper.tags.merge %w(table td th)

Remove tags
  
  WhiteListHelper.tags.delete 'div'

Change allowed attributes

  WhiteListHelper.attributes.merge %w(id class style)

white_list accepts a block for custom tag escaping.  Shown below is the default block that white_list uses if none is given.
The block is called for all bad tags, and every text node.  node is an instance of HTML::Node (either HTML::Tag or HTML::Text).  
bad is nil for text nodes inside good tags, or is the tag name of the bad tag.  

  <%= white_list(@article.body) { |node, bad| white_listed_bad_tags.include?(bad) ? nil : node.to_s.gsub(/</, '&lt;') } %>
  
Ingress Filtering in a controller action.  This function will force the param specified (params[object][attribute]) to be
run through the white_list object first.  As such, this keeps us from persisting malicious data to the database.

  white_list_params!(:object, :attribute)
  
You can also call

  white_list_all_params!(:object)
  
which will iterate over all attributes of :object and white_list any attribute that is a String.
  
Original fork: http://github.com/railsmonk/white_list_objectified
Original plugin website: http://weblog.techno-weenie.net/2006/9/3/white-listing-plugin-for-rails
Original plugin SVN: http://svn.techno-weenie.net/projects/plugins/white_list/
Something went wrong with that request. Please try again.