151

I'm working with Ruby on Rails, Is there a way to strip html from a string using sanitize or equal method and keep only text inside value attribute on input tag?

Improve this question
0

9 Answers 9

Reset to default
214

If we want to use this in model

ActionView::Base.full_sanitizer.sanitize(html_string)

which is the code in "strip_tags" method

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

This works but referring to ActionView from the mdoel is awkward. More cleanly you can require 'html/sanitizer' and instantiate your own sanitizer with HTML::FullSanitizer.new.
@nhaldimann, require 'html/sanitizer' raises error so I have to use: Rails::Html::FullSanitizer.new (edgeapi.rubyonrails.org/classes/HTML/…)
I'm using Rails::Html::FullSanitizer.new.sanitize(string) with Rails 7
152

There's a strip_tags method in ActionView::Helpers::SanitizeHelper:

http://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-strip_tags

Edit: for getting the text inside the value attribute, you could use something like Nokogiri with an Xpath expression to get that out of the string.

Improve this answer

Comments

39 
ActionView::Base.full_sanitizer.sanitize(html_string)

White list of tags and attributes can be specified as bellow

ActionView::Base.full_sanitizer.sanitize(html_string, :tags => %w(img br p), :attributes => %w(src style))

Above statement allows tags img, br and p and attributes src and style.

Improve this answer

Comments

38

Yes, call this: sanitize(html_string, tags:[])

Improve this answer

1 Comment

Working well in 2024 and Rails 7, no extra requires/includes required here. The tags: [] argument is important, this is what excludes all HTML tags. Otherwise you'll actually get raw HTML and that will render in-page.
10

I've used the Loofah library, as it is suitable for both HTML and XML (both documents and string fragments). It is the engine behind the html sanitizer gem. I'm simply pasting the code example to show how simple it is to use.

Loofah Gem

unsafe_html = "ohai! <div>div is safe</div> <script>but script is not</script>"

doc = Loofah.fragment(unsafe_html).scrub!(:strip)
doc.to_s    # => "ohai! <div>div is safe</div> "
doc.text    # => "ohai! div is safe "
Improve this answer

Comments

3

If you want to remove all html tags you can use

   htm.gsub(/<[^>]*>/,'')
Improve this answer

Comments

2

How about this?

white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
WHITELIST = ['p','b','h1','h2','h3','h4','h5','h6','li','ul','ol','small','i','u']


[Your, Models, Here].each do |klass| 
  klass.all.each do |ob| 
    klass.attribute_names.each do |attrs|
      if ob.send(attrs).is_a? String
        ob.send("#{attrs}=", white_list_sanitizer.sanitize(ob.send(attrs), tags: WHITELIST, attributes: %w(id style)).gsub(/<p>\s*<\/p>\r\n/im, ''))
        ob.save
      end
    end
  end
end
Improve this answer

1 Comment

There is also Rails::Html::FullSanitizer.new if you don't want to specify a whitelist.
0

This is working for me in rails 6.1.3:

.errors-description
  = sanitize(message, tags: %w[div span strong], attributes: %w[class])
Improve this answer

Comments

0

If your HTML is coming from ActionText, you can do .to_plain_text:

@my_string = <p>My HTML String</p>
@my_string.to_plain_text
=> My HTML String

https://www.rubydoc.info/github/rails/rails/ActionText%2FContent:to_plain_text

Improve this answer

2 Comments

What is this? .to_plain_text isn't a thing in the core.
@JoshuaPinter You are correct. Just updated my answer. Thanks!

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.