Phoenix HTML Sanitizer

phoenix_html_sanitizer provides a simple way to sanitize user input in your Phoenix app.

It is extracted from the elixirstatus.com project, where it is used to sanitize user annoucements from around the Elixir community.

What can it do?

phoenix_html_sanitizer parses a given HTML string and either completely strips it from HTML tags or sanitizes it by only allowing certain HTML elements and attributes to be present. It depends on html_sanitize_ex to do this.

Installation

Add phoenix_html_sanitizer as a dependency in your mix.exs file.

defp deps do
  [
    # ...
    {:phoenix_html_sanitizer, "~> 1.2"}
  ]
end

After you are done, run mix deps.get in your shell.

To include the Sanitizer into all your views, you can add it to your web.ex file:

    def view do
      quote do
        use Phoenix.View, root: "web/templates"

        [snip]

        # Use all HTML functionality (forms, tags, etc)
        import Phoenix.HTML
        import Phoenix.HTML.Form
        use PhoenixHTMLHelpers
        use PhoenixHtmlSanitizer, :basic_html         <-------- add this line
      end
    end

You have to set one of three base modes here:

• :strip_tags - all tags are stripped from the input.
• :basic_html - some basic HTML tags are allowed. This is great for allowing basic usages of HTML for sites like online forums and it works great in combination with a Markdown parser.
• :full_html - all HTML5 tags are allowed and sanitized.

After you included PhoenixHtmlSanitizer into your web.ex, it will provide two functions in your views:

• sanitize/1 uses the defined base mode,
• sanitize/2 takes the mode as second parameter.

Usage in views

sanitize can strip all tags from the given string:

    text = "<a href=\"javascript:alert('XSS');\">text here</a>"
    sanitize(text, :strips_tags)
    # => {:safe, "text here"}

Or allow certain basic HTML elements to remain:

    text = "<h1>Hello <script>World!</script></h1>"
    sanitize(text, :basic_html)
    # => {:safe, "<h1>Hello World!</h1>"}

    text = "<header>Hello <script>World!</script></header>"
    sanitize(text, :full_html)
    # => {:safe, "<header>Hello World!</header>"}

Notice how the output follows the Phoenix.HTML.Safe protocol.

Thus both sanitize/1 and sanitize/2 can be used directly in your views:

<%= sanitize "<h1>Hello <script>World!</script></h1>" %>

This prints <h1>Hello World!</h1> into your eex template.

Contributing

1. Fork it!
2. Create your feature branch (git checkout -b my-new-feature)
3. Commit your changes (git commit -am 'Add some feature')
4. Push to the branch (git push origin my-new-feature)
5. Create new Pull Request

Author

René Föhring (@rrrene)

License

phoenix_html_sanitizer is released under the MIT License. See the LICENSE file for further details.