Add WYSIWYGSanitizer

2015-07-31 15:40:32 +02:00
parent 2ea638967b
commit 9ab8910329
2 changed files with 34 additions and 0 deletions
--- a/app/services/wysiwyg_sanitizer.rb
+++ b/app/services/wysiwyg_sanitizer.rb
@@ -0,0 +1,10 @@
+class WYSIWYGSanitizer
+
+  ALLOWED_TAGS = %w(p ul ol li strong em u s)
+  ALLOWED_ATTRIBUTES = []
+
+  def sanitize(html)
+    ActionController::Base.helpers.sanitize(html, tags: ALLOWED_TAGS, attributes: ALLOWED_ATTRIBUTES)
+  end
+
+end
--- a/spec/services/wysiwyg_sanitizer_spec.rb
+++ b/spec/services/wysiwyg_sanitizer_spec.rb
@@ -0,0 +1,24 @@
+require 'rails_helper'
+
+describe WYSIWYGSanitizer do
+
+  subject { described_class.new }
+
+  describe '#sanitize' do
+
+    it 'returns an html_safe string' do
+      expect(subject.sanitize('hello')).to be_html_safe
+    end
+
+    it 'allows basic html formatting' do
+      html = '<p>This is <strong>a paragraph</strong></p>'
+      expect(subject.sanitize(html)).to eq(html)
+    end
+
+    it 'filters out dangerous tags' do
+      html = '<p>This is <script>alert("dangerous");</script></p>'
+      expect(subject.sanitize(html)).to eq('<p>This is alert("dangerous");</p>')
+    end
+  end
+
+end