xss_terminate
is a plugin in that makes stripping and sanitizing HTML stupid-simple. Install and forget. And forget about forgetting to h()
your output, because you won’t need to anymore.
But xss_terminate
is also flexible. By default, it will strip all HTML tags from user input. This is usually what you want, but sometimes you need users to be able to enter HTML. The plugin allows you remove bad HTML with your choice of two whitelist-based sanitizers, or to skip HTML sanitization entirely on a per-field basis.
To install, do:
script/plugin install http://xssterminate.googlecode.com/svn/trunk/xss_terminate
A note on your choices.
-
Strip tags: removes all HTML using Rails’s built-in
strip_tags
method. Tags are removed, but their content is not. -
Rails sanitization: Removes bad HTML with Rails’s built-in sanitize method. Bad tags are removed completely, including their content.
-
HTML5lib sanitization: Removes bad HTML after parsing it with HTML5lib, a library that parses HTML like browsers do. It should be very tolerant of invalid HTML. Bad tags are escaped, not removed.
-
Escape if necessary: replaces all less than characters with the corresponding HTML entity if Rails’s built-in
strip_tags
method would change the value. -
Validate: never changes user input, but adds a validation error if Rails’s built-in
strip_tags
method would change the value. -
Do nothing. You can chose not to process given fields.
Installing the plugin creates a before_validation
hook that will strip HTML tags from all string and text fields. No further configuration is necessary if this is what you want. To customize the behavior, you use the xss_terminate
class method.
To exempt some fields from sanitization, use the :except
option with a list of fields not to process:
class Comment < ActiveRecord::Base xss_terminate :except => [ :body ] end
To sanitize HTML with Rails’s built-in sanitization, use the :sanitize
option:
class Review < ActiveRecord::Base xss_terminate :sanitize => [ :body, :author_name] end
To sanitize HTML with HTML5Lib (gem install html5
to get it), use the :html5lib_sanitize
option with a list of fields to sanitize:
class Entry < ActiveRecord::Base xss_terminate :html5lib_sanitize => [ :body, :author_name ] end
To replace all less than characters with the corresponding HTML entity:
class Review < ActiveRecord::Base xss_terminate :simple_escape => [ :body, :author_name] end
To add a validation error if the input contains the less than character:
class Review < ActiveRecord::Base xss_terminate :validate => [ :body, :author_name] end
You can combine multiple options if you have some fields you would like skipped and others sanitized. Fields not listed in the option arrays will be stripped.
class Message < ActiveRecord::Base xss_terminate :except => [ :body ], :sanitize => [ :title ] end
To change the default sanitizing method for all models you can put this in the beginning of config/environment.rb or in config/preinitializer.rb:
XSS_TERMINATE_DEFAULT = :sanitize
To change the default sanitizing method for one model only:
class Message < ActiveRecord::Base xss_terminate :default => :sanitize end
After installing xss_terminate
and configuring it to your liking, you can run rake xss_terminate MODELS=Foo,Bar,Baz
to execute it against your existing records. This will load each model found and save it again to invoke the before_save hook.
xss_terminate
is based on acts_as_sanitized
. Here is what’s different:
-
Supports Rails 2.0-2.2 (may work on edge Rails)
-
Automatic. It is included with default options in
ActiveReord::Base
so all your models are sanitized. -
It works with migrations. Columns are fetched when model is saved, not when the class is loaded.
-
You can decide whether to sanitize or strip tags on a field-by-field basis instead of model-by-model.
-
HTML5lib support.
-
Performance tests
-
Test suites with “real world” HTML
-
Test/make work with Rails 1.2.x (Rails 1.2 sanitization is crap, so you’d want to use HTML5lib)
Written by Luke Francl and based on acts_as_sanitized by Alex Payne.
HTML5Lib sanitization by Jacques Distler.
MIT License, except for lib/html5lib_sanitize.rb which is under the Ruby license and copyright to Jacques Distler.