Sanitize Rich Text elements after save

This is a nice way of incrementally sanitizing all of your Richtext elements.
AlchemyCMS · Mar 26, 2021 · dd20104 · dd20104
1 parent 9671c29
commit dd20104
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 3 deletions.
diff --git a/app/models/alchemy/essence_richtext.rb b/app/models/alchemy/essence_richtext.rb
@@ -17,6 +17,7 @@ class EssenceRichtext < BaseRecord
     acts_as_essence preview_text_column: "stripped_body"
 
     before_save :strip_content
+    before_save :sanitize_content
 
     def has_tinymce?
       true
@@ -27,5 +28,16 @@ def has_tinymce?
     def strip_content
       self.stripped_body = Rails::Html::FullSanitizer.new.sanitize(body)
     end
+
+    def sanitize_content
+      self.sanitized_body = Rails::Html::SafeListSanitizer.new.sanitize(
+        body,
+        content_sanitizer_settings
+      )
+    end
+
+    def content_sanitizer_settings
+      content&.settings&.fetch(:sanitizer, {})
+    end
   end
 end
diff --git a/spec/dummy/config/alchemy/elements.yml b/spec/dummy/config/alchemy/elements.yml
@@ -31,6 +31,11 @@
   contents:
   - name: text
     type: EssenceRichtext
+    settings:
+      sanitizer:
+        attributes: [href, target]
+        tags: [p, ol, ul, ul, li, em, strong]
+
 
 - name: search
   contents: []

diff --git a/spec/models/alchemy/essence_richtext_spec.rb b/spec/models/alchemy/essence_richtext_spec.rb
@@ -4,13 +4,38 @@
 
 module Alchemy
   describe EssenceRichtext do
+    let(:element) { create(:alchemy_element, name: "article") }
+    let(:content) { Alchemy::Content.new(name: "text", element: element) }
     let(:essence) do
-      EssenceRichtext.new(body: "<h1>Hello!</h1><p>Welcome to Peters Petshop.</p>")
+      Alchemy::EssenceRichtext.new(
+        content: content,
+        body: "<h1 style=\"color: red;\">Hello!</h1><p class=\"green\">Welcome to Peters Petshop.</p>"
+      )
     end
 
     it_behaves_like "an essence" do
-      let(:essence) { EssenceRichtext.new }
-      let(:ingredient_value) { "<h1>Hello!</h1><p>Welcome to Peters Petshop.</p>" }
+      let(:essence) { EssenceRichtext.new(content: content) }
+      let(:ingredient_value) { "<h1 style=\"color: red;\">Hello!</h1><p class=\"green\">Welcome to Peters Petshop.</p>" }
+    end
+
+    it "should save a HTML tag free version of body column" do
+      essence.save
+      expect(essence.stripped_body).to eq("Hello!Welcome to Peters Petshop.")
+    end
+
+    it "should save a sanitized version of body column" do
+      essence.save
+      expect(essence.sanitized_body).to eq("<h1>Hello!</h1><p class=\"green\">Welcome to Peters Petshop.</p>")
+    end
+
+    context "when class is not part of the allowed attributes" do
+      let(:element) { create(:alchemy_element, name: "text") }
+      let(:content) { Alchemy::Content.new(name: "text", element: element) }
+
+      it "should save a sanitized version of body column" do
+        essence.save
+        expect(essence.sanitized_body).to eq("Hello!<p>Welcome to Peters Petshop.</p>")
+      end
     end
 
     it "should save a HTML tag free version of body column" do