https://github.com/rails/rails-html-sanitizer

Keywords from Contributors

activerecord activejob mvc rubygems rack rspec crash-reporting gem ruby-gem feature-flag

Last synced: about 8 hours ago
JSON representation

Repository metadata

Host: GitHub
URL: https://github.com/rails/rails-html-sanitizer
Owner: rails
License: mit
Created: 2013-09-25T00:54:20.000Z (over 12 years ago)
Default Branch: main
Last Pushed: 2025-12-30T21:11:36.000Z (10 days ago)
Last Synced: 2026-01-08T06:24:49.089Z (1 day ago)
Language: Ruby
Size: 389 KB
Stars: 326
Watchers: 22
Forks: 86
Open Issues: 12
Releases: 14
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: MIT-LICENSE

Rails HTML Sanitizers

This gem is responsible for sanitizing HTML fragments in Rails applications. Specifically, this is the set of sanitizers used to implement the Action View SanitizerHelper methods sanitize, sanitize_css, strip_tags and strip_links.

Rails HTML Sanitizer is only intended to be used with Rails applications. If you need similar functionality but aren't using Rails, consider using the underlying sanitization library Loofah directly.

Usage

Sanitizers

All sanitizers respond to sanitize, and are available in variants that use either HTML4 or HTML5 parsing, under the Rails::HTML4 and Rails::HTML5 namespaces, respectively.

NOTE: The HTML5 sanitizers are not supported on JRuby. Users may programmatically check for support by calling Rails::HTML::Sanitizer.html5_support?.

FullSanitizer

full_sanitizer = Rails::HTML5::FullSanitizer.new
full_sanitizer.sanitize("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
# => Bold no more!  See more here...

or, if you insist on parsing the content as HTML4:

full_sanitizer = Rails::HTML4::FullSanitizer.new
full_sanitizer.sanitize("<b>Bold</b> no more!  <a href='more.html'>See more here</a>...")
# => Bold no more!  See more here...

LinkSanitizer

link_sanitizer = Rails::HTML5::LinkSanitizer.new
link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
# => Only the link text will be kept.

or, if you insist on parsing the content as HTML4:

link_sanitizer = Rails::HTML4::LinkSanitizer.new
link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
# => Only the link text will be kept.

SafeListSanitizer

This sanitizer is also available as an HTML4 variant, but for simplicity we'll document only the HTML5 variant below.

safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new

# sanitize via an extensive safe list of allowed elements
safe_list_sanitizer.sanitize(@article.body)

# sanitize only the supplied tags and attributes
safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))

# sanitize via a custom scrubber
safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)

# prune nodes from the tree instead of stripping tags and leaving inner content
safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new(prune: true)

# the sanitizer can also sanitize css
safe_list_sanitizer.sanitize_css('background-color: #000;')

Scrubbers

Scrubbers are objects responsible for removing nodes or attributes you don't want in your HTML document.

This gem includes two scrubbers Rails::HTML::PermitScrubber and Rails::HTML::TargetScrubber.

`Rails::HTML::PermitScrubber`

This scrubber allows you to permit only the tags and attributes you want.

scrubber = Rails::HTML::PermitScrubber.new
scrubber.tags = ['a']

html_fragment = Loofah.fragment('<a><img/ ></a>')
html_fragment.scrub!(scrubber)
html_fragment.to_s # => "<a></a>"

By default, inner content is left, but it can be removed as well.

scrubber = Rails::HTML::PermitScrubber.new
scrubber.tags = ['a']

html_fragment = Loofah.fragment('<a><span>text</span></a>')
html_fragment.scrub!(scrubber)
html_fragment.to_s # => "<a>text</a>"

scrubber = Rails::HTML::PermitScrubber.new(prune: true)
scrubber.tags = ['a']

html_fragment = Loofah.fragment('<a><span>text</span></a>')
html_fragment.scrub!(scrubber)
html_fragment.to_s # => "<a></a>"

`Rails::HTML::TargetScrubber`

Where PermitScrubber picks out tags and attributes to permit in sanitization,
Rails::HTML::TargetScrubber targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.

Note: by default, it will scrub anything that is not part of the permitted tags from
loofah HTML5::Scrub.allowed_element?.

scrubber = Rails::HTML::TargetScrubber.new
scrubber.tags = ['img']

html_fragment = Loofah.fragment('<a><img/ ></a>')
html_fragment.scrub!(scrubber)
html_fragment.to_s # => "<a></a>"

Similarly to PermitScrubber, nodes can be fully pruned.

scrubber = Rails::HTML::TargetScrubber.new
scrubber.tags = ['span']

html_fragment = Loofah.fragment('<a><span>text</span></a>')
html_fragment.scrub!(scrubber)
html_fragment.to_s # => "<a>text</a>"

scrubber = Rails::HTML::TargetScrubber.new(prune: true)
scrubber.tags = ['span']

html_fragment = Loofah.fragment('<a><span>text</span></a>')
html_fragment.scrub!(scrubber)
html_fragment.to_s # => "<a></a>"

Custom Scrubbers

You can also create custom scrubbers in your application if you want to.

class CommentScrubber < Rails::HTML::PermitScrubber
  def initialize
    super
    self.tags = %w( form script comment blockquote )
    self.attributes = %w( style )
  end

  def skip_node?(node)
    node.text?
  end
end

See Rails::HTML::PermitScrubber documentation to learn more about which methods can be overridden.

Custom Scrubber in a Rails app

Using the CommentScrubber from above, you can use this in a Rails view like so:

<%= sanitize @comment, scrubber: CommentScrubber.new %>

A note on HTML entities

Rails HTML sanitizers are intended to be used by the view layer, at page-render time. They are not intended to sanitize persisted strings that will be sanitized again at page-render time.

Proper HTML sanitization will replace some characters with HTML entities. For example, text containing a < character will be updated to contain < to ensure that the markup is well-formed.

This is important to keep in mind because HTML entities will render improperly if they are sanitized twice.

A concrete example showing the problem that can arise

Imagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter JPMorgan Chase & Co..

If you sanitize this before persisting it in the database, the stored string will be JPMorgan Chase & Co.

When the page is rendered, if this string is sanitized a second time by the view layer, the HTML will contain JPMorgan Chase &amp; Co. which will render as "JPMorgan Chase & Co.".

Another problem that can arise is rendering the sanitized string in a non-HTML context (for example, if it ends up being part of an SMS message). In this case, it may contain inappropriate HTML entities.

Suggested alternatives

You might simply choose to persist the untrusted string as-is (the raw input), and then ensure that the string will be properly sanitized by the view layer.

That raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using Loofah or Sanitize to customize how this sanitization works, including omitting HTML entities in the final string.

If you really want to sanitize the string that's stored in your database, you may wish to look into Loofah::ActiveRecord rather than use the Rails HTML sanitizers.

A note on module names

In versions < 1.6, the only module defined by this library was Rails::Html. Starting in 1.6, we define three additional modules:

Rails::HTML for general functionality (replacing Rails::Html)
Rails::HTML4 containing sanitizers that parse content as HTML4
Rails::HTML5 containing sanitizers that parse content as HTML5 (if supported)

The following aliases are maintained for backwards compatibility:

Rails::Html points to Rails::HTML
Rails::HTML::FullSanitizer points to Rails::HTML4::FullSanitizer
Rails::HTML::LinkSanitizer points to Rails::HTML4::LinkSanitizer
Rails::HTML::SafeListSanitizer points to Rails::HTML4::SafeListSanitizer

Installation

Add this line to your application's Gemfile:

gem 'rails-html-sanitizer'

And then execute:

$ bundle

Or install it yourself as:

$ gem install rails-html-sanitizer

Support matrix

branch	ruby support	actively maintained	security support
1.6.x	>= 2.7	yes	yes
1.5.x	>= 2.5	no	while Rails 6.1 is in security support
1.4.x	>= 1.8.7	no	no

Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.

Loofah and Loofah Scrubbers

The node argument passed to some methods in a custom scrubber is an instance of Nokogiri::XML::Node.

Contributing to Rails HTML Sanitizers

Rails HTML Sanitizers is work of many contributors. You're encouraged to submit pull requests, propose features and discuss issues.

See CONTRIBUTING.

Security reports

Trying to report a possible security vulnerability in this project? Please check out the Rails project's security policy for instructions.

License

Rails HTML Sanitizers is released under the MIT License.

Owner metadata

Name: Ruby on Rails
Login: rails
Email:
Kind: organization
Description:
Website: https://rubyonrails.org/
Location:
Twitter:
Company:
Icon url: https://avatars.githubusercontent.com/u/4223?v=4
Repositories: 116
Last ynced at: 2023-04-09T03:40:20.529Z
Profile URL: https://github.com/rails

GitHub Events

Total

Create event: 13
Issues event: 5
Release event: 2
Watch event: 20
Delete event: 9
Issue comment event: 21
Push event: 17
Pull request event: 24
Fork event: 8

Last Year

Issues event: 2
Watch event: 13
Delete event: 6
Issue comment event: 12
Push event: 8
Pull request event: 17
Fork event: 6
Create event: 8

Committers metadata

Last synced: 1 day ago

Total Commits: 243
Total Committers: 34
Avg Commits per committer: 7.147
Development Distribution Score (DDS): 0.58

Commits in past year: 9
Committers in past year: 2
Avg Commits per committer in past year: 4.5
Development Distribution Score (DDS) in past year: 0.222

Name	Email	Commits
Mike Dalessio	m**o@g**m	102
Timm	k**h@g**m	51
Rafael Mendonça França	r**a@p**r	21
dependabot[bot]	4****]	11
Juanito Fatas	j**s@s**m	7
Akira Matsuda	r**e@d**p	6
Rafael Mendonça França	r**a@g**m	6
Rafael Mendonça França + Kasper Timm Hansen	r**h@g**m	5
Godfrey Chan	g**c@g**m	3
Fabian Schwahn	f**n@g**m	3
Aaron Patterson	a**n@g**m	2
Nicolas Leger	n****r	2
m-nakamura145	m**5@g**m	2
seyerian	s**n@p**e	2
Akhil G Krishnan	a**u@g**m	1
George Claghorn	g**e@b**m	1
Igor Victor	g**a@y**u	1
yui-knk	s**a@g**m	1
rwojnarowski	r**2@g**m	1
maclover7	me@j****e	1
Trevor John	t**r@j**j	1
Tebs	q**a@g**m	1
Sean Doyle	s****e	1
Robb Shecter	r**b@p**w	1
Pavel Valena	p**a@r**m	1
Paul Mesnilgrente	w**b@p**m	1
Orien Madgwick	_@o****o	1
Olle Jonsson	o**n@g**m	1
Neo Elit	n**s@g**m	1
Katsuhiko YOSHIDA	c**d@g**m	1
and 4 more...

Committer domains:

Issue and Pull Request metadata

Last synced: 10 days ago

Total issues: 47
Total pull requests: 131
Average time to close issues: 8 months
Average time to close pull requests: 20 days
Total issue authors: 42
Total pull request authors: 46
Average comments per issue: 4.09
Average comments per pull request: 1.09
Merged pull request: 95
Bot issues: 0
Bot pull requests: 21

Past year issues: 2
Past year pull requests: 20
Past year average time to close issues: N/A
Past year average time to close pull requests: 3 days
Past year issue authors: 2
Past year pull request authors: 3
Past year average comments per issue: 0.0
Past year average comments per pull request: 0.4
Past year merged pull request: 15
Past year bot issues: 0
Past year bot pull requests: 14

More stats: https://issues.ecosyste.ms/repositories/lookup?url=https://github.com/rails/rails-html-sanitizer

Top Issue Authors

flavorjones (4)
archonic (2)
naitoh (2)
paul-mesnilgrente (1)
vividtone (1)
jorg-vr (1)
jackphelps (1)
moritzhoeppner (1)
mm580486 (1)
puneet-sutar (1)
Sim4n6 (1)
srecnig (1)
mattt416 (1)
goromlagche (1)
Segaja (1)

Top Pull Request Authors

flavorjones (49)
dependabot[bot] (21)
JuanitoFatas (6)
m-nakamura145 (3)
Earlopain (2)
seyerian (2)
ch4n3-yoon (2)
dogweather (2)
jweir (2)
seanpdoyle (2)
rubyrider (2)
akhilgkrishnan (2)
nacengineer (2)
tongueroo (2)
adrianotadao (1)

Top Issue Labels

enhancement (2)
topic/html5 (1)

Top Pull Request Labels

dependencies (21)
ruby (10)

Package metadata

Total packages: 3
Total downloads:
- rubygems: 1,237,684,168 total
Total docker downloads: 1,642,128,344
Total dependent packages: 32 (may contain duplicates)
Total dependent repositories: 517,903 (may contain duplicates)
Total versions: 55
Total maintainers: 13
Total advisories: 34

gem.coop: rails-html-sanitizer

HTML sanitization for Rails applications

Homepage: https://github.com/rails/rails-html-sanitizer
Documentation: http://www.rubydoc.info/gems/rails-html-sanitizer/
Licenses: MIT
Latest release: 1.6.2 (published about 1 year ago)
Last Synced: 2026-01-07T23:23:23.423Z (2 days ago)
Versions: 19
Dependent Packages: 0
Dependent Repositories: 0
Downloads: 618,878,729 Total
Docker Downloads: 821,064,172
Rankings:
- Dependent repos count: 0.0%
- Dependent packages count: 0.0%
- Average: 0.01%
- Downloads: 0.031%
Maintainers (13)
- tenderlove
- webster132
- guilleiguaran
- fxn
- cantoniodasilva
- rafaelfranca
- jeremydaer
- matthewd
- eileencodes
- byroot
- jhawthorn
- kamipo
- flavorjones
Advisories:

rubygems.org: rails-html-sanitizer