Module: ConcernsOnRails::Support::HtmlSanitizers

Defined in:

lib/concerns_on_rails/support/html_sanitizers.rb

Overview

Memoized, feature-detected HTML sanitizer instances shared by the sanitizing concerns (currently Models::Sanitizable).

Picks the HTML5 parser (Rails::HTML5::*, the default since Rails 7.1, so it matches the host app’s own ActionView sanitize/strip_tags output) when the platform supports it, and otherwise falls back to HTML4 (libgumbo / HTML5 is unavailable on JRuby) — mirroring Rails core.

The namespace decision and each sanitizer are built lazily on first use, so libgumbo / ActionView is never probed at file-load time, and the instances are reused (they are thread-safe for #sanitize) rather than re-allocated per attribute access.

We reference Rails::HTML5 / Rails::HTML4 explicitly: the bare Rails::HTML::* aliases silently resolve to the HTML4 implementation.

Class Method Summary

• .full ⇒ Object

  Removes every tag, keeping the inner text.

• .link ⇒ Object

  Strips only <a> tags, keeping their visible text and other markup.

• .namespace ⇒ Object
• .safe ⇒ Object

  Rails’ curated allow-list: keeps formatting tags (em / strong / a / p…), drops <script> / <iframe>, and neutralizes javascript: URLs.

Class Method Details

.full ⇒ Object

Removes every tag, keeping the inner text. The safe default and the only sanitizer appropriate for a destructive write (it cannot reintroduce markup).

# File 'lib/concerns_on_rails/support/html_sanitizers.rb', line 47

def full
  @full ||= namespace::FullSanitizer.new
end

.link ⇒ Object

Strips only <a> tags, keeping their visible text and other markup.

# File 'lib/concerns_on_rails/support/html_sanitizers.rb', line 58

def link
  @link ||= namespace::LinkSanitizer.new
end

.namespace ⇒ Object

# File 'lib/concerns_on_rails/support/html_sanitizers.rb', line 33

def namespace
  @namespace ||=
    if defined?(Rails::HTML::Sanitizer) &&
       Rails::HTML::Sanitizer.respond_to?(:html5_support?) &&
       Rails::HTML::Sanitizer.html5_support?
      Rails::HTML5
    else
      Rails::HTML4
    end
end

.safe ⇒ Object

Rails’ curated allow-list: keeps formatting tags (em / strong / a / p…), drops <script> / <iframe>, and neutralizes javascript: URLs.

# File 'lib/concerns_on_rails/support/html_sanitizers.rb', line 53

def safe
  @safe ||= namespace::SafeListSanitizer.new
end