Customize tag and attribute sanitization

Fixes #6
rails · Oct 3, 2018 · 598ef2e · 598ef2e
1 parent aa1d463
commit 598ef2e
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/app/helpers/action_text/content_helper.rb b/app/helpers/action_text/content_helper.rb
@@ -18,7 +18,11 @@ def render_action_text_content(content)
         end.chomp
       end
 
-      content.to_html
+      sanitize content.to_html, tags: ActionText::ALLOWED_TAGS, attributes: ActionText::ALLOWED_ATTRIBUTES
     end
   end
+
+  SANITIZER = Rails::Html::Sanitizer.white_list_sanitizer
+  ALLOWED_TAGS = SANITIZER.allowed_tags + [ ActionText::Attachment::TAG_NAME, "figure", "figcaption" ]
+  ALLOWED_ATTRIBUTES = SANITIZER.allowed_attributes + ActionText::Attachment::ATTRIBUTES
 end
diff --git a/app/views/action_text/content/_layout.html.erb b/app/views/action_text/content/_layout.html.erb
@@ -1,3 +1,3 @@
 <div class="trix-content">
-  <%= sanitize render_action_text_content(content) %>
+  <%= render_action_text_content(content) %>
 </div>