Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Rails plugin to sanitize ActiveRecord objects when they are saved. Can work with whatever sanitization method you like.
branch: master

This branch is 4 commits behind devp:master

Fetching latest commit…

Cannot retrieve the latest commit at this time

Failed to load latest commit information.
lib
test
.gitignore
Gemfile
MIT-LICENSE
README.rdoc
Rakefile
init.rb
sanitize_attributes.gemspec

README.rdoc

SanitizeAttributes

This is a simple plugin for ActiveRecord models to define sanitizable attributes. When an object is saved, those attributes will be run through whatever filter you've defined. You can define a default filter for all sanitizations.

Sanitization only happens for non-nil attributes. (Because a nil attribute may be valid for your model, and the sanitzers should only have to worry about working with strings.)

This plugin was created to implement anti-XSS validation. My current gem of choice is Sanitize: github.com/rgrove/sanitize/tree/master

Example

# probably in environment.rb
SanitizeAttributes.default_sanitization_method = lambda do |text|
  text.gsub(/[^\w\s]/, "") # very simple, very limited
end

# app/models/bookmark.rb
class Bookmark
  sanitize_attribute :sitename
end

# app/models/article.rb
class Article
  default_sanitization_method_for_class = lambda do |text|
    text.gsub(/[^\w\s'".,?!]/, """) # more reasonable, for titles and such
  end

  sanitize_attributes :title, :author

  sanitize_attributes :body do |body_text|
    # This needs to be safe, renderable HTML, so let's use a real sanization tool
    # I recommend: http://github.com/rgrove/sanitize/tree/master 
    Sanitize.clean(body_text)
  end
end

# in action...
b = Bookmark.create(:sitename => "boston.rb!!!", :url => "http://http://bostonrb.org/")
b.sitename # => "bostonrb"
a = Article.create(:title => "<b>Hello</b>!", :body => "Please remove the <script>script tags</script>!")
a.title # => "Hello!"
a.body  # => "Please remove the script tags!"

Future Work

Things to work on in the future:

  • allowing strings/symbols for sanitization methods, not just blocks

    Nacho.default_sanitization_method_for_class = :microwave # uses Nacho.microwave
    Nacho.default_sanitization_method_for_class = "Sanitize.clean"
  • add validation helpers, if you want to flag problematic text rather than cleaning it.

    class Foo

    validate_sanitzed :value

    end Foo.new(:value => “abc”).valid? #=> false if a sanitized copy of #value is different than the original

  • better functionality for subclasses. Currently, they will share sanitized attributes and sanitization methods across subclasses and the base class.

Etc

© 2009 Dev Purkayastha, released under the MIT license

Something went wrong with that request. Please try again.