Sanitize-Rails - sanitize .. on Rails.

An easy bridge to integrate Ryan Grove's HTML Whitelist Sanitizer in your Rails application.

Gemfile:

gem 'sanitize-rails', require: 'sanitize/rails'

Pass the configuration to Sanitize calling Sanitize::Rails.configure in an initializer, say config/initializers/sanitizer.rb:

Sanitize::Rails.configure(
  elements:   [ ... ],
  attributes: { ... },
  ...
)

You may pass escape_entities: false if you don't want to escape html entities. Example: Hello & World will not be changed to Hello & World

Check out the example in the example/ directory.

ActionView sanitize helper is transparently overriden to use the Sanitize gem.

A sanitize helper is added to ActiveRecord, that installs on create/save callbacks that sanitize the given attributes before persisting them to the database. Example:

app/models/foo.rb:

class Foo < ActiveRecord::Base
  sanitizes :description # on save by default

  sanitizes :body,    on: :create
  sanitizes :remarks, on: :save
end

spec/spec_helper.rb:

require 'sanitize/rails/matchers'

in spec code:

describe Post do
  # Simplest variant, single field and default values
  it { should sanitize_field :title }

  # Multiple fields
  it { should sanitize_fields :title, :body }

  # Specifing both text to sanitize and expected result
  it { should sanitize_field(:title).replacing('©').with('©') }
end

You should pass field names to matcher in the same way as you do with the sanitize call in the model, otherwise sanitize method won't be found in model.

test/test_helper.rb:

require 'sanitize/rails/test_helpers'

Sanitize::Rails::TestHelpers.setup(self,
  invalid: 'some <a>string',
  valid:   'some <a>string</a>'
)

your test:

assert_sanitizes Model, :field, :some_other_field

Tested with Rails 3.0 and 🆙 under Ruby 1.9.3 and 🆙.

MIT