summaryrefslogtreecommitdiff
path: root/app/validators/html_safety_validator.rb
blob: 29e7d445697cae5801bbb1aee19730117be01a21 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# frozen_string_literal: true

# HtmlSafetyValidator
#
# Validates that a value does not contain HTML
# or other unsafe content that could lead to XSS.
# Relies on Rails HTML Sanitizer:
# https://github.com/rails/rails-html-sanitizer
#
# Example:
#
#   class Group < ActiveRecord::Base
#     validates :name, presence: true, html_safety: true
#   end
#
class HtmlSafetyValidator < ActiveModel::EachValidator
  def validate_each(record, attribute, value)
    return if value.blank? || safe_value?(value)

    record.errors.add(attribute, self.class.error_message)
  end

  def self.error_message
    _("cannot contain HTML/XML tags, including any word between angle brackets (<,>).")
  end

  private

  # The `FullSanitizer` encodes ampersands as the HTML entity name.
  # This isn't particularly necessary for preventing XSS so the ampersand
  # is pre-encoded to avoid it being flagged in the comparison.
  def safe_value?(text)
    pre_encoded_text = text.gsub('&', '&amp;')
    Rails::Html::FullSanitizer.new.sanitize(pre_encoded_text) == pre_encoded_text
  end
end