loofah
Loofah is a general library for manipulating and transforming HTML/XML documents and fragments, built on top of Nokogiri.
Loofah excels at HTML sanitization (XSS prevention). It includes some nice HTML sanitizers, which are based on HTML5lib's safelist, so it most likely won't make your codes less secure. (These statements have not been evaluated by Netexperts.)
Features:
- Easily write custom scrubbers for HTML/XML leveraging the sweetness of Nokogiri (and HTML5lib's safelists).
- Common HTML sanitizing tasks are built-in:
- Strip unsafe tags, leaving behind only the inner text.
- Prune unsafe tags and their subtrees, removing all traces that they ever existed.
- Escape unsafe tags and their subtrees, leaving behind lots of < and > entities.
- Whitewash the markup, removing all attributes and namespaced nodes.
- Common HTML transformation tasks are built-in:
- Add the nofollow attribute to all hyperlinks.
- Format markup as plain text, with or without sensible whitespace handling around block elements.
- Replace Rails's strip_tags and sanitize view helper methods.
Example Use
require 'loofah'
html_string = '<p>Hello <b>World!</b> <a href="javascript:alert(1)">Link</a></p>'
# Sanitize the HTML string
scrubbed_html = Loofah.fragment(html_string)
scrubbed_html.scrub!(:strip)
scrubbed_html.scrub!(:strip_enveloping_whitespace)
scrubbed_html.scrub!(:strip_tags, "b")
scrubbed_html.scrub!(:remove_attribute, "a", "href")
puts scrubbed_html.to_s
# Output: <p>Hello World! <a>Link</a></p>