Rails - How to only escape – Laas Mar 01 '16 at 09:38

Question

As you are on rails 4.2.5, you can use https://github.com/rails/rails-html-sanitizer which gets installed with rails. You can do following to escape only script tag.

scrubber = Rails::Html::TargetScrubber.new
scrubber.tags = ['script']

html_fragment = Loofah.fragment('<script></script><div></div>')
html_fragment.scrub!(scrubber)
html_fragment.to_s # outputs "<div></div>"

score 1 · Answer 1 · edited May 23 '21 at 13:50

1

As you are on rails 4.2.5, you can use https://github.com/rails/rails-html-sanitizer which gets installed with rails. You can do following to escape only script tag.

scrubber = Rails::Html::TargetScrubber.new
scrubber.tags = ['script']

html_fragment = Loofah.fragment('<script></script><div></div>')
html_fragment.scrub!(scrubber)
html_fragment.to_s # outputs "<div></div>"

edited May 23 '21 at 13:50

BananaNeil

10,322
7
46
66

answered Mar 01 '16 at 10:06

Rohan Pujari

788
9
21

score 0 · Answer 2 · answered Mar 01 '16 at 08:56

 string = '<html> <title> <head> <script type="javascript"></script> </head> </title> </html>'

 string.gsub(/<script.*[\s\S]*\/script>/,"")

 => "<html> <title> <head>  </head> </title> </html>"

Update

If you are using Rails 4.2.5 you may need this.

Rails::HTML::TargetScrubber

score 0 · Answer 3 · edited May 23 '17 at 10:34

Rails providing so many options for string / HTML entities

  s = "<script>alert('Hello');</script>"

option : WhiteListSanitizer

 white_list_sanitizer = Rails::Html::WhiteListSanitizer.new
 white_list_sanitizer.sanitize(s, tags: %w())
 white_list_sanitizer.sanitize(s, tags: %w(table tr td), attributes: %w(id class style))
  => "alert('Hello');"

Refer this link alse

How to show some HTML entities on title tag using Rails

score -2 · Answer 4 · answered Mar 01 '16 at 08:59

-2

string.gsub!(/<(?=script)||(?<=script)>/) {|x| "#\{x}"}

answered Mar 01 '16 at 08:59

Joe Half Face

2,303
1
17
45

4 Answers4