Class: Storytime::Snippet

Inherits:
ActiveRecord::Base
  • Object
show all
Includes:
ScopedToSite
Defined in:
app/models/storytime/snippet.rb

Instance Method Summary collapse

Instance Method Details

#sanitize_contentObject

Snippet content is rendered with raw in the front-end (see app/views/storytime/snippets/_snippet.html.erb), so it must be scrubbed on write with the same allow-list used for Post/Page content. Otherwise an editor could store arbitrary HTML/JS (stored XSS).



15
16
17
18
# File 'app/models/storytime/snippet.rb', line 15

def sanitize_content
  return if Storytime.post_sanitizer.blank? || content.blank?
  self.content = Storytime.post_sanitizer.call(content)
end