Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Rails plugin to sanitize ActiveRecord objects when they are saved. Can work with whatever sanitization method you like.
Ruby
Branch: master
Pull request Compare This branch is 4 commits behind devp:master.

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
lib
test
.gitignore
Gemfile
MIT-LICENSE
README.rdoc
Rakefile
init.rb
sanitize_attributes.gemspec

README.rdoc

SanitizeAttributes

This is a simple plugin for ActiveRecord models to define sanitizable attributes. When an object is saved, those attributes will be run through whatever filter you've defined. You can define a default filter for all sanitizations.

Sanitization only happens for non-nil attributes. (Because a nil attribute may be valid for your model, and the sanitzers should only have to worry about working with strings.)

This plugin was created to implement anti-XSS validation. My current gem of choice is Sanitize: github.com/rgrove/sanitize/tree/master

Example

# probably in environment.rb
SanitizeAttributes.default_sanitization_method = lambda do |text|
  text.gsub(/[^\w\s]/, "") # very simple, very limited
end

# app/models/bookmark.rb
class Bookmark
  sanitize_attribute :sitename
end

# app/models/article.rb
class Article
  default_sanitization_method_for_class = lambda do |text|
    text.gsub(/[^\w\s'".,?!]/, """) # more reasonable, for titles and such
  end

  sanitize_attributes :title, :author

  sanitize_attributes :body do |body_text|
    # This needs to be safe, renderable HTML, so let's use a real sanization tool
    # I recommend: http://github.com/rgrove/sanitize/tree/master 
    Sanitize.clean(body_text)
  end
end

# in action...
b = Bookmark.create(:sitename => "boston.rb!!!", :url => "http://http://bostonrb.org/")
b.sitename # => "bostonrb"
a = Article.create(:title => "<b>Hello</b>!", :body => "Please remove the <script>script tags</script>!")
a.title # => "Hello!"
a.body  # => "Please remove the script tags!"

Future Work

Things to work on in the future:

  • allowing strings/symbols for sanitization methods, not just blocks

    Nacho.default_sanitization_method_for_class = :microwave # uses Nacho.microwave
    Nacho.default_sanitization_method_for_class = "Sanitize.clean"
  • add validation helpers, if you want to flag problematic text rather than cleaning it.

    class Foo

    validate_sanitzed :value

    end Foo.new(:value => “abc”).valid? #=> false if a sanitized copy of #value is different than the original

  • better functionality for subclasses. Currently, they will share sanitized attributes and sanitization methods across subclasses and the base class.

Etc

© 2009 Dev Purkayastha, released under the MIT license

Something went wrong with that request. Please try again.