Xss Terminate plugin

Plugin details

xss_terminate is a plugin in that makes stripping and sanitizing HTML stupid-simple. Install and forget. And forget about forgetting to h() your output, because you won't need to anymore.

But xss_terminate is also flexible. By default, it will strip all HTML tags from user input. This is usually what you want, but sometimes you need users to be able to enter HTML. The plugin allows you remove bad HTML with your choice of two whitelist-based sanitizers, or to skip HTML sanitization entirely on a per-field basis.

Repositoryhttp://xssterminate.googlecode.com/svn/trunk/xss_terminate Author Jacques Distler Tags Sanitizing LicenseMIT

Documentation

Install the plugin: 
ruby script/plugin install http://xssterminate.googlecode.com/svn/trunk/xss_terminate

== HTML sanitization

A note on your choices.

* Strip tags: removes all HTML using Rails's built-in +strip_tags+ method. Tags are removed, but their content is not.
* Rails sanitization: Removes bad HTML with Rails's built-in sanitize method. Bad tags are removed completely, including their content.
* HTML5lib sanitization: Removes bad HTML after parsing it with {HTML5lib}[http://code.google.com/p/html5lib/], a library that parses HTML like browsers do. It should be very tolerant of invalid HTML. Bad tags are escaped, not removed.
* Do nothing. You can chose not to process given fields.

== Usage

Installing the plugin creates a before_save hook that will strip HTML tags from all string and text fields. No further configuration is necessary if this is what you want. To customize the behavior, you use the xss_terminate class method.

To exempt some fields from sanitization, use the :except option with a list of fields not to process: 

 class Comment < ActiveRecord::Base
   xss_terminate :except => [ :body ]
 end



To sanitize HTML with Rails's built-in sanitization, use the :sanitize option: 

  class Review < ActiveRecord::Base
    xss_sanitize :sanitize => [ :body, :author_name]
  end



To sanitize HTML with {HTML5Lib} (gem install html5 to get it), use the :html5lib_sanitize option with a list of fields to sanitize: 

 class Entry < ActiveRecord::Base
   xss_terminate :html5lib_sanitize => [ :body, :author_name ]
 end



You can combine multiple options if you have some fields you would like skipped and others sanitized. Fields not listed in the option arrays will be stripped. 

 class Message < ActiveRecord::Base
   xss_terminate :except => [ :body ], :sanitize => [ :title ]
 end



== Sanitizing existing records

After installing xss_terminate and configuring it to your liking, you can run 

rake xss_terminate MODELS=Foo,Bar,Baz


to execute it against your existing records. This will load each model found and save it again to invoke the before_save hook.

Further Documentation

There is currently no advanced documentation for this plugin.

New documentation

Edit plugin | Back in time (1 older version) | Last edited by: scott, over 2 years ago