ActionText: Safe listing attributes and tags

#actiontext #rails #ruby #webdev

To safelist tags and attributes in ActionText we need to inspect the source since I was unable to find anywhere in the documentation how to do so.

Rails has a separate gem for sanitizing which can be found here:

https://github.com/rails/rails-html-sanitizer

The gem is utilized within ActionText by the content helper here:

https://github.com/rails/rails/blob/4328d0e16028a46bba79ab775e509a743ceaf18c/actiontext/app/helpers/action_text/content_helper.rb#L7-L10

What we can do with these mattr_accessors is override them by creating an initializer.

We can create a file called config/initializers/action_text.rb and fill it with some custom contents for allowable things. Let's say for example we wanted to add table editing. We'd need to add <table>, <tr>, <td>, <th>, <thead>, and <tbody>.

In addition, we may also want to add some additional attributes which we could also do here say perhaps target for links.

# config/initializers/action_text.rb

# Add table tags
ActionText::ContentHelper.allowed_tags += ["table", "tr", "td", "th", "thead", "tbody"]

# Add link attributes
ActionText::ContentHelper.allowed_attributes += ["rel", "target"]

You can also see an example from @excid3 's latest ActionText episode:

https://github.com/gorails-screencasts/modify-actiontext-html-output/blob/master/config/initializers/action_text.rb

https://gorails.com/episodes/modify-and-customize-actiontext-html-output?autoplay=1

If you're feeling real wild, you could even replace the sanitizer and scrubber with your own custom sanitizer / scrubber!

🛠️ Bring your solution into Docusign. Reach over 1.6M customers.

Docusign is now extensible. Overcome challenges with disconnected products and inaccessible data by bringing your solutions into Docusign and publishing to 1.6M customers in the App Center.

Learn more