HtmlSanitizeEx.Scrubber.Meta (html_sanitize_ex v1.4.3) View Source

This module contains some meta-programming magic to define your own rules for scrubbers.

The StripTags scrubber is a good starting point:

defmodule HtmlSanitizeEx.Scrubber.StripTags do
  require HtmlSanitizeEx.Scrubber.Meta
  alias HtmlSanitizeEx.Scrubber.Meta

  # Removes any CDATA tags before the traverser/scrubber runs.
  Meta.remove_cdata_sections_before_scrub

  Meta.strip_comments

  Meta.strip_everything_not_covered
end

You can use the allow_tag_with_uri_attributes/3 and allow_tag_with_these_attributes/2 macros to define what is allowed:

defmodule HtmlSanitizeEx.Scrubber.StripTags do
  require HtmlSanitizeEx.Scrubber.Meta
  alias HtmlSanitizeEx.Scrubber.Meta

  # Removes any CDATA tags before the traverser/scrubber runs.
  Meta.remove_cdata_sections_before_scrub

  Meta.strip_comments

  Meta.allow_tag_with_uri_attributes   "img", ["src"], ["http", "https"]
  Meta.allow_tag_with_these_attributes "img", ["width", "height"]

  Meta.strip_everything_not_covered
end

You can stack these if convenient:

Meta.allow_tag_with_uri_attributes   "img", ["src"], ["http", "https"]
Meta.allow_tag_with_these_attributes "img", ["width", "height"]
Meta.allow_tag_with_these_attributes "img", ["title", "alt"]

Link to this section Summary

Functions

allow_tag_with_any_attributes(tag_name)

Allow any attributes for the specified +tag+.

allow_tag_with_these_attributes(tag_name, list \\ [])

Allow the given +list+ of attributes for the specified +tag+.

allow_tag_with_this_attribute_values(tag_name, attribute, values)

Allow the given list of +values+ for the given +attribute+ on the specified +tag+.

allow_tag_with_uri_attributes(tag, list, valid_schemes)

Allow the given +list+ of attributes to contain URI information for the specified +tag+.

allow_tags_and_scrub_their_attributes(list)

Allow these tags and use the regular scrub_attribute/2 function to scrub the attributes.

allow_tags_with_style_attributes(list)

remove_cdata_sections_before_scrub()

Removes any CDATA tags before the traverser/scrubber runs.

strip_comments()

Strips all comments.

strip_everything_not_covered()

Ensures any tags/attributes not explicitly whitelisted until this statement are stripped.

Link to this section Functions

allow_tag_with_any_attributes(tag_name)

(macro)

Allow any attributes for the specified +tag+.

Meta.allow_tag_with_any_attributes "a"

Meta.allow_tag_with_any_attributes "img"

allow_tag_with_these_attributes(tag_name, list \\ [])

(macro)

Allow the given +list+ of attributes for the specified +tag+.

Meta.allow_tag_with_these_attributes "a", ["name", "title"]

Meta.allow_tag_with_these_attributes "img", ["title", "alt"]

allow_tag_with_this_attribute_values(tag_name, attribute, values)

(macro)

Allow the given list of +values+ for the given +attribute+ on the specified +tag+.

Meta.allow_tag_with_this_attribute_values "a", "target", ["_blank"]

allow_tag_with_uri_attributes(tag, list, valid_schemes)

(macro)

Allow the given +list+ of attributes to contain URI information for the specified +tag+.

# Only allow SSL-enabled and mailto links
Meta.allow_tag_with_uri_attributes "a", ["href"], ["https", "mailto"]

# Only allow none-SSL images
Meta.allow_tag_with_uri_attributes "img", ["src"], ["http"]

allow_tags_and_scrub_their_attributes(list)

(macro)

Allow these tags and use the regular scrub_attribute/2 function to scrub the attributes.

allow_tags_with_style_attributes(list)

(macro)

remove_cdata_sections_before_scrub()

(macro)

Removes any CDATA tags before the traverser/scrubber runs.

strip_comments()

(macro)

Strips all comments.

strip_everything_not_covered()

(macro)

Ensures any tags/attributes not explicitly whitelisted until this statement are stripped.