Custom Scrubber allowed_node? not being invoked!!!

Question

Custom Scrubber allowed_node? not being invoked!!!

NeoElit opened this issue 10 years ago · 7 comments

I tried using a custom scrubber for html sanitizer as mentioned in the readme, however it doesn't seem to clear unallowed tags. In fact its not even calling the allowed_node? method.

https://gist.github.com/NeoElit/d1fe81aa60e7d61247f80e2ebdbf0358

Is this a bug or am I doing something wrong?

Answer 1 · 2016-04-24T16:29:35.000Z

You haven't set any allowed tags for the permit scrubber to filter on, so it'll assume you want loofahs secure defaults and won't call that method. Agree that it's a bit confusing but that's how it is 😁

Answer 2 · 2016-04-25T03:02:56.000Z

@kaspth what you mean by i haven't set any allowed tags? I have overridden the allowed_node? method and checking if the node is in the provided set and returning truth boolean depending whether to filter or not. I just tried the example provided in the ReadMe file. I'm confused.

Answer 3 · 2016-04-25T03:38:35.000Z

@kaspth if you mean defining allowed_tags(options), i tried that, but couldn't get it working.
It would be great if you can point me to some example or something :)

Also setting class level allowed tags and attributes as per http://blog.plataformatec.com.br/2014/07/the-new-html-sanitizer-in-rails-4-2/ throws me with NoMethodError: :(

I'm working on rails 4.2.6

Answer 4 · 2016-04-25T06:48:19.000Z

You should set tags on the scrubber.

I've updated the misleading docs here: https://github.com/rails/rails-html-sanitizer/blob/master/lib/rails/html/scrubbers.rb#L22-L34

Thanks! ❤️

Answer 5 · 2016-04-25T15:33:22.000Z

@kaspth great, that works 👍
note: the doc change is not yet reflected on the main Readme file

Thank you so much :)

Answer 6 · 2016-04-25T15:45:49.000Z

Sweet! And why not submit a pull request then? :)

Answer 7 · 2016-04-26T04:11:08.000Z

@kaspth Sent one :)