phoenix_html_sanitizer
provides a simple way to sanitize user input in your Phoenix app.
It is extracted from the elixirstatus.com project, where it is used to sanitize user annoucements from around the Elixir community.
phoenix_html_sanitizer
parses a given HTML string and either completely strips it from HTML tags or sanitizes it by only allowing certain HTML elements and attributes to be present. It depends on html_sanitize_ex to do this.
Add phoenix_html_sanitizer as a dependency in your mix.exs
file.
defp deps do
[
# ...
{:phoenix_html_sanitizer, "~> 1.0.0"}
]
end
After you are done, run mix deps.get
in your shell.
To include the Sanitizer into all your views, you can add it to your web.ex
file:
def view do
quote do
use Phoenix.View, root: "web/templates"
[snip]
# Use all HTML functionality (forms, tags, etc)
use Phoenix.HTML
use PhoenixHtmlSanitizer, :basic_html <-------- add this line
end
end
You have to set one of three base modes here:
:strip_tags
- all tags are stripped from the input.:basic_html
- some basic HTML tags are allowed. This is great for allowing basic usages of HTML for sites like online forums and it works great in combination with a Markdown parser.:full_html
- all HTML5 tags are allowed and sanitized.
After you included PhoenixHtmlSanitizer
into your web.ex
, it will provide
two functions in your views:
sanitize/1
uses the defined base mode,sanitize/2
takes the mode as second parameter.
sanitize
can strip all tags from the given string:
text = "<a href=\"javascript:alert('XSS');\">text here</a>"
sanitize(text, :strips_tags)
# => {:safe, "text here"}
Or allow certain basic HTML elements to remain:
text = "<h1>Hello <script>World!</script></h1>"
sanitize(text, :basic_html)
# => {:safe, "<h1>Hello World!</h1>"}
text = "<header>Hello <script>World!</script></header>"
sanitize(text, :full_html)
# => {:safe, "<header>Hello World!</header>"}
Notice how the output follows the Phoenix.HTML.Safe protocol.
Thus both sanitize/1
and sanitize/2
can be used directly in your views:
<%= sanitize "<h1>Hello <script>World!</script></h1>" %>
This prints <h1>Hello World!</h1>
into your eex
template.
- Fork it!
- Create your feature branch (
git checkout -b my-new-feature
) - Commit your changes (
git commit -am 'Add some feature'
) - Push to the branch (
git push origin my-new-feature
) - Create new Pull Request
René Föhring (@rrrene)
phoenix_html_sanitizer is released under the MIT License. See the LICENSE file for further details.