How can I allow tags through rails 4 sani

2019-07-15 09:04发布

问题:

I've been using the sanitize method in a Rails 4 app to scrub a page which displays html that users generate to prevent unsafe things like script injection. So I have a view that looks like:

sanitize @user_input

Right now I'm having issues when uses are entering video tags with a source tag under it like so:

<video><source src="foo.bar"></video>

Unfortunately it looks like sanitize is stripping out the source tag so videos are no longer working. How do I use sanitize so it allows source tags? Also how can I get a list of tags that are being allowed/dis-allowed? It'd be great to understand what is going under the hood.

Just to be fully clear, I'd like to be able to add the source tag to the whitelist. When I specify it as as an allowed tag in the arguments for sanitize it removes all the previous defaults for whitelisted tags. For example, I'd still like to allow default tags like a, h1, etc.

How do I add source to the whitelist instead of completing replacing it?

回答1:

After digging through the source I've found that the list of default elements allowed is based on Loofah's WhiteList Sanitize

  • Defaults tags: Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS_WITH_LIBXML2
  • Default attributes: Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES

So to add <source> to the default list you could the following:

default_tags = Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS_WITH_LIBXML2.add('source')
default_attributes = Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES
sanitize @user_input, tags: default_tags, attributes: default_attributes


回答2:

You can do something like this:

<%= sanitize @user_input, tags: %w(video source), attributes: %w(src) %>



回答3:

Check out http://apidock.com/rails/ActionView/Helpers/SanitizeHelper/sanitize.

You can supply an option hash with the tags you would like to whitelist like so:

sanitize('<video><source src="foo.bar"></video>', tags: %w(video source))

I can't find if there is a way to get the full whitelist from within the Rails app, but this is the source code of the default sanitizer that is used (check out the WhiteListSanitizer class):

https://github.com/rails/rails-html-sanitizer/blob/master/lib/rails/html/sanitizer.rb

From there you can see that the allowed tags are:

%w(strong em b i p code pre tt samp kbd var sub
    sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dl dt dd abbr
    acronym a img blockquote del ins)

and the allowed attributes are:

%w(href src width height alt cite datetime title class name xml:lang abbr)

You can add video and source to the tags list and provide it to the sanitize helper.



回答4:

By adjusting default whitelist:

attributes_whitelist = Rails::Html::Sanitizer.white_list_sanitizer.allowed_attributes
attributes_whitelist << 'source'
sanitize(@user_input, attributes: attributes_whitelist)