mirror of
https://github.com/openfoodfoundation/openfoodnetwork
synced 2026-01-25 20:46:48 +00:00
34 lines
1.1 KiB
Ruby
34 lines
1.1 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
# Keeps only allowed HTML.
|
|
#
|
|
# We store some rich text as HTML in attributes of models like Enterprise.
|
|
# We offer an editor which supports certain tags but you can't insert just any
|
|
# HTML, which would be dangerous.
|
|
class HtmlSanitizer
|
|
# div is required by Trix editor
|
|
ALLOWED_TAGS = %w[h1 h2 h3 h4 div p br b i u a strong em del pre blockquote ul ol li hr
|
|
figure].freeze
|
|
ALLOWED_ATTRIBUTES = %w[href target].freeze
|
|
ALLOWED_TRIX_DATA_ATTRIBUTES = %w[data-trix-attachment].freeze
|
|
|
|
def self.sanitize(html)
|
|
@sanitizer ||= Rails::HTML5::SafeListSanitizer.new
|
|
@sanitizer.sanitize(
|
|
html, tags: ALLOWED_TAGS, attributes: (ALLOWED_ATTRIBUTES + ALLOWED_TRIX_DATA_ATTRIBUTES)
|
|
)
|
|
end
|
|
|
|
def self.sanitize_and_enforce_link_target_blank(html)
|
|
sanitize(enforce_link_target_blank(html))
|
|
end
|
|
|
|
def self.enforce_link_target_blank(html)
|
|
return if html.nil?
|
|
|
|
Nokogiri::HTML::DocumentFragment.parse(html).tap do |document|
|
|
document.css("a").each { |link| link["target"] = "_blank" }
|
|
end.to_s
|
|
end
|
|
end
|