Skip to content

elixirstatus/phoenix_html_sanitizer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
config
config
 
 
lib
lib
 
 
test
test
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
mix.exs
mix.exs
 
 
mix.lock
mix.lock
 
 

Repository files navigation

Phoenix HTML Sanitizer Deps Status Inline docs

phoenix_html_sanitizer provides a simple way to sanitize user input in your Phoenix app.

It is extracted from the elixirstatus.com project, where it is used to sanitize user annoucements from around the Elixir community.

What can it do?

phoenix_html_sanitizer parses a given HTML string and either completely strips it from HTML tags or sanitizes it by only allowing certain HTML elements and attributes to be present. It depends on html_sanitize_ex to do this.

Installation

Add phoenix_html_sanitizer as a dependency in your mix.exs file.

defp deps do
  [
    # ...
    {:phoenix_html_sanitizer, "~> 1.2"}
  ]
end

After you are done, run mix deps.get in your shell.

To include the Sanitizer into all your views, you can add it to your web.ex file:

    def view do
      quote do
        use Phoenix.View, root: "web/templates"

        [snip]

        # Use all HTML functionality (forms, tags, etc)
        import Phoenix.HTML
        import Phoenix.HTML.Form
        use PhoenixHTMLHelpers
        use PhoenixHtmlSanitizer, :basic_html         <-------- add this line
      end
    end

You have to set one of three base modes here:

  • :strip_tags - all tags are stripped from the input.
  • :basic_html - some basic HTML tags are allowed. This is great for allowing basic usages of HTML for sites like online forums and it works great in combination with a Markdown parser.
  • :full_html - all HTML5 tags are allowed and sanitized.

After you included PhoenixHtmlSanitizer into your web.ex, it will provide two functions in your views:

  • sanitize/1 uses the defined base mode,
  • sanitize/2 takes the mode as second parameter.

Usage in views

sanitize can strip all tags from the given string:

    text = "<a href=\"javascript:alert('XSS');\">text here</a>"
    sanitize(text, :strips_tags)
    # => {:safe, "text here"}

Or allow certain basic HTML elements to remain:

    text = "<h1>Hello <script>World!</script></h1>"
    sanitize(text, :basic_html)
    # => {:safe, "<h1>Hello World!</h1>"}
    text = "<header>Hello <script>World!</script></header>"
    sanitize(text, :full_html)
    # => {:safe, "<header>Hello World!</header>"}

Notice how the output follows the Phoenix.HTML.Safe protocol.

Thus both sanitize/1 and sanitize/2 can be used directly in your views:

<%= sanitize "<h1>Hello <script>World!</script></h1>" %>

This prints <h1>Hello World!</h1> into your eex template.

Contributing

  1. Fork it!
  2. Create your feature branch (git checkout -b my-new-feature)
  3. Commit your changes (git commit -am 'Add some feature')
  4. Push to the branch (git push origin my-new-feature)
  5. Create new Pull Request

Author

René Föhring (@rrrene)

License

phoenix_html_sanitizer is released under the MIT License. See the LICENSE file for further details.

About

HTML Sanitizer for Phoenix

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

27 stars

Watchers

3 watching

Forks

13 forks
Report repository

Releases

6 tags

Packages

No packages published

Contributors 3

  •  
  •  
  •  

Languages