2

If one uses Rails::Html::PermitScrubber and doesn't specify a value for tags or attributes it defaults to using reasonable defaults from Loofah::HTML5::Scrub. However, as soon as you set tags or attributes it chooses a completely different code path that ignores those defaults.

I want to start with the default functionality provided by Rails::Html::PermitScrubber (i.e. when tags/attributes aren't specified) and just make a few small changes but looking at the class implementation it seems like I would need to basically copy and reimplement half the PermitScrubber methods just to access that default functionality. And the defaults provided by Loofah::HTML5::Scrub don't seem to be part of any existing Loofah::Scrubber class.

So how do I make minor changes to the default operation of Rails::Html::PermitScrubber without reimplementing half the class? Surely this is a very common use case!

Peter Gerdes
  • 2,288
  • 1
  • 20
  • 28

1 Answers1

1

I guess you can just subclass Rails::Html::PermitScrubber and override keep_node? to get needed behavior (not changing code path if tags are present).

The code of original keep_node? is

  def keep_node?(node)
    if @tags
      allowed_node?(node)
    else
      Loofah::HTML5::Scrub.allowed_element?(node.name)
    end
  end

Probably, that is the part that you want to update.

Or, you can monkey-patch the existing class if subclass does not suit your case.

Pavel Oganesyan
  • 6,774
  • 4
  • 46
  • 84
  • 1
    This is mostly what I ended up doing but for anyone else who comes across this you are also going to need to override scrub_attributes as well (and maybe scrub_attribute? if you still use this in the overridden scrub_attributes). I was just hoping that there was some easier way to do this but it turned out this wasn't so bad. – Peter Gerdes Jan 09 '22 at 18:23