Project

href_sanitizer

0.0

No release in over 3 years

href_sanitizer mfo/href_sanitizer Homepage Documentation Source Code Bug Tracker Wiki

Drop-in Rails engine that patches link_to to block dangerous protocols (javascript:, data:, vbscript:) and provides a URL validator to prevent SSRF via private/local IP resolution.

2005

2006

2007

2008

2009

2010

2011

2012

2013

2014

2015

2016

2017

2018

2019

2020

2021

2022

2023

2024

2025

2026

Popularity

412

Releases

0.1.2

1980-01-02

1980-01-02

Development

Primary Language

Ruby

Licenses

MIT

Average date of last 50 commits

2026-04-15

Reverse Dependencies

Dependencies

Runtime

addressable

~> 2.8

rails

>= 7.0

rails-html-sanitizer

>= 1.6

Project Readme

href_sanitizer

Drop-in Rails engine that hardens link_to against dangerous protocols (javascript:, data:, vbscript:) and provides URL validation to prevent SSRF via private/local IP resolution.

Installation

gem "href_sanitizer"

Usage

Everything is enabled by default. Add the gem and link_to is automatically patched.

To configure:

HrefSanitizer.configure do |config|
  config.harden_link_to = true       # patch link_to (default: true)
  config.block_private_urls = true   # block private/local IPs (default: true)
  config.fallback_url = "#"          # replacement for unsafe URLs (default: "#")
  config.on_unsafe_url = ->(url, reason) { Rails.logger.warn("Blocked: #{url}") }
end

License

MIT