I've been using the sanitize method in a Rails 4 app to scrub a page which displays html that users generate to prevent unsafe things like script injection. So I have a view that looks like:
sanitize @user_input
Right now I'm having issues when uses are entering video tags with a source tag under it like so:
<video><source src="foo.bar"></video>
Unfortunately it looks like sanitize is stripping out the source tag so videos are no longer working. How do I use sanitize so it allows source tags? Also how can I get a list of tags that are being allowed/dis-allowed? It'd be great to understand what is going under the hood.
Just to be fully clear, I'd like to be able to add the source tag to the whitelist. When I specify it as as an allowed tag in the arguments for sanitize it removes all the previous defaults for whitelisted tags. For example, I'd still like to allow default tags like a, h1, etc.
How do I add source to the whitelist instead of completing replacing it?
After digging through the source I've found that the list of default elements allowed is based on Loofah's WhiteList Sanitize
Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS_WITH_LIBXML2Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTESSo to add <source> to the default list you could the following:
default_tags = Loofah::HTML5::WhiteList::ALLOWED_ELEMENTS_WITH_LIBXML2.add('source')
default_attributes = Loofah::HTML5::WhiteList::ALLOWED_ATTRIBUTES
sanitize @user_input, tags: default_tags, attributes: default_attributes