I've been using the sanitize method in a Rails 4 app to scrub a page which displays html that users generate to prevent unsafe things like script injection. So I have a view that looks like:
sanitize @user_input
Right now I'm having issues when uses are entering video tags with a source tag under it like so:
<video><source src="foo.bar"></video>
Unfortunately it looks like sanitize is stripping out the source tag so videos are no longer working. How do I use sanitize so it allows source tags? Also how can I get a list of tags that are being allowed/dis-allowed? It'd be great to understand what is going under the hood.
Just to be fully clear, I'd like to be able to add the source tag to the whitelist. When I specify it as as an allowed tag in the arguments for sanitize it removes all the previous defaults for whitelisted tags. For example, I'd still like to allow default tags like a, h1, etc.
How do I add source to the whitelist instead of completing replacing it?
After digging through the source I've found that the list of default elements allowed is based on Loofah's WhiteList Sanitize
- Defaults tags:
Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS_WITH_LIBXML2
- Default attributes:
Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES
So to add <source>
to the default list you could the following:
default_tags = Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS_WITH_LIBXML2.add('source')
default_attributes = Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES
sanitize @user_input, tags: default_tags, attributes: default_attributes
You can do something like this:
<%= sanitize @user_input, tags: %w(video source), attributes: %w(src) %>
Check out http://apidock.com/rails/ActionView/Helpers/SanitizeHelper/sanitize.
You can supply an option hash with the tags you would like to whitelist like so:
sanitize('<video><source src="foo.bar"></video>', tags: %w(video source))
I can't find if there is a way to get the full whitelist from within the Rails app, but this is the source code of the default sanitizer that is used (check out the WhiteListSanitizer
class):
https://github.com/rails/rails-html-sanitizer/blob/master/lib/rails/html/sanitizer.rb
From there you can see that the allowed tags are:
%w(strong em b i p code pre tt samp kbd var sub
sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dl dt dd abbr
acronym a img blockquote del ins)
and the allowed attributes are:
%w(href src width height alt cite datetime title class name xml:lang abbr)
You can add video
and source
to the tags list and provide it to the sanitize
helper.
By adjusting default whitelist:
attributes_whitelist = Rails::Html::Sanitizer.white_list_sanitizer.allowed_attributes
attributes_whitelist << 'source'
sanitize(@user_input, attributes: attributes_whitelist)