rails-sanitize-js 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 9756b1435f643b1d5d3bb305411d6f6ad00adad4
+  data.tar.gz: de8ad71d18b5b6de5e820210b6895236ea4be0f5
+SHA512:
+  metadata.gz: 73e55293f002ff9463c3e8d1a17f623e679d536af0be17c2122560b768d990e54ee1d3a57d81a3c1bc30c9997d3bb6d4fff523543e2ad27b6c8b7209c02251ae
+  data.tar.gz: 3ed15f295f6495a2af55c5449b0078859b2965dc733301cf5e61f09e78adff03ed1408e1f4d7e68b4de8e8a88824525cdcefd208f2a888d3226858f687764dc4

data/.gitignore

@@ -0,0 +1,4 @@
+/.bundle/
+/.ruby-version
+/.ruby-gemset
+/Gemfile.lock

data/Gemfile

@@ -0,0 +1,2 @@
+source 'https://rubygems.org'
+gemspec

data/MIT-LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Nick Chernyshev
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,307 @@
+# rails-sanitize-js
+
+rails-sanitize-js wraps the [Sanitize.js](https://github.com/gbirke/Sanitize.js) for use in Rails 3.1 and above.
+
+## Install in Rails
+
+Add the following to your Gemfile:
+
+    gem 'rails-sanitize-js'
+
+Add the following to your Rails JavaScript manifest file:
+
+    //= require sanitize
+
+## Sanitize.js
+
+Sanitize.js is a whitelist-based HTML sanitizer. Given a list of acceptable
+elements and attributes, Sanitize.js will remove all unacceptable HTML from a
+DOM node.
+
+Using a simple configuration syntax, you can tell Sanitize to allow certain
+elements, certain attributes within those elements, and even certain URL
+protocols within attributes that contain URLs. Any HTML elements or attributes
+that you don't explicitly allow will be removed.
+
+Because it's working directly with the DOM tree, rather than a bunch of
+fragile regular expressions, Sanitize.js has no trouble dealing with malformed
+or maliciously-formed HTML, and will always output valid HTML or XHTML.
+
+Sanitize.js heavily inspired by the Ruby Sanitize library
+(http://github.com/rgrove/sanitize). It tries to port it as faithful as
+possible.
+
+
+**Author**:    Gabriel Birke (mailto:gabriel@lebenplusplus.de)  
+**Version**:   1.0   
+**Copyright**: Copyright (c) 2010 Gabriel Birke. All rights reserved.  
+**License**:   MIT License (http://opensource.org/licenses/mit-license.php)  
+**Website**:   http://github.com/gbirke/Sanitize.js  
+
+## Usage
+
+If you don't specify any configuration options, Sanitize will use its
+strictest settings by default, which means it will strip all HTML and leave
+only text behind.  
+HTML:
+
+    <p id="para1"><b><a href="http://foo.com/">foo</a></b><img src="http://foo.com/bar.jpg" /></p>
+
+JavaScript:
+
+    var p = document.getElementById('para1');
+    var s = new Sanitize();
+    alert(s.clean_node(p)); // => 'foo'
+
+The original node won't be changed, what you get back is a document fragment
+with the sanitized child nodes (and their complete contents) of the original
+DOM node.
+
+## Configuration
+
+In addition to the ultra-safe default settings that leave just the plain text
+behind, Sanitize comes with three other built-in modes. The modes reside in
+separate JavaScript files that must loaded additionally to the sanitize.js
+file.
+
+### Sanitize.Config.RESTRICTED
+
+Allows only very simple inline formatting markup. No links, images, or block
+elements.
+
+    var s = new Sanitize(Sanitize.Config.RESTRICTED);
+    alert(s.clean_node(p)); // => '<b>foo</b>'
+
+### Sanitize.Config.BASIC
+
+Allows a variety of markup including formatting tags, links, and lists. Images
+and tables are not allowed, links are limited to FTP, HTTP, HTTPS, and mailto
+protocols, and a `rel="nofollow"` attribute is added to all links to
+mitigate SEO spam.
+
+    var s = new Sanitize(Sanitize.Config.BASIC);
+    alert(s.clean_node(p));
+    // => '<b><a href="http://foo.com/" rel="nofollow">foo</a></b>'
+
+### Sanitize.Config.RELAXED
+
+Allows an even wider variety of markup than BASIC, including images and tables.
+Links are still limited to FTP, HTTP, HTTPS, and mailto protocols, while images
+are limited to HTTP and HTTPS. In this mode, `rel="nofollow"` is not
+added to links.
+
+    var s = new Sanitize(Sanitize.Config.RELAXED);
+    alert(s.clean_node(p));
+    // => '<b><a href="http://foo.com/">foo</a></b><img src="http://foo.com/bar.jpg" />'
+
+### Configuration object parameters
+
+If the built-in modes don't meet your needs, you can easily specify a custom
+configuration:
+    
+    var s = new Sanitize({ 
+        elements:   ['a', 'span'],
+        attributes: { 
+            a: ['href', 'title'], 
+            span: ['class'] 
+        },
+        protocols:  { 
+            a: { href: ['http', 'https', 'mailto'] }
+        }
+    });
+    s.clean_node(p);
+
+
+#### add_attributes (Object)
+
+Attributes to add to specific elements. If the attribute already exists, it will
+be replaced with the value specified here. Specify all element names and
+attributes in lowercase.
+
+    add_attributes: {
+        a: {'rel': 'nofollow'}
+    }
+
+#### attributes (Object)
+
+Attributes to allow for specific elements. Specify all element names and
+attributes in lowercase.
+
+    attributes: {
+        a:           ['href', 'title'],
+        blockquote:  ['cite'],
+        img:         ['alt', 'src', 'title']
+    }
+
+If you'd like to allow certain attributes on all elements, use the symbol
+`__ALL__` instead of an element name.
+
+    attributes: {
+        '__ALL__': ['class'],
+        a: ['href', 'title']
+    }
+
+#### allow_comments (boolean)
+
+Whether or not to allow HTML comments. Allowing comments is strongly
+discouraged, since IE allows script execution within conditional comments. The
+default value is `false`.
+
+#### dom (DOM document)
+
+An object that implements a DOM document interface. It is mainly used to
+create new element, attribute and document fragment nodes.
+
+If you are using Sanitize in the browser, this will default to the global
+`document` variable. If you are using it on the server side, you must provide
+your own DOM implementation.
+
+#### elements (Array)
+
+Array of element names to allow. Specify all names in lowercase.
+
+    elements: [
+        'a', 'b', 'blockquote', 'br', 'cite', 'code', 'dd', 'dl', 'dt', 'em',
+        'i', 'li', 'ol', 'p', 'pre', 'q', 'small', 'strike', 'strong', 'sub',
+        'sup', 'u', 'ul'
+    ]
+
+#### protocols (Object)
+
+URL protocols to allow in specific attributes. If an attribute is listed here
+and contains a protocol other than those specified (or if it contains no
+protocol at all), it will be removed.
+
+    protocols: {
+        a:   { href: ['ftp', 'http', 'https', 'mailto']},
+        img: { src:  ['http', 'https']}
+    }
+
+If you'd like to allow the use of relative URLs which don't have a protocol,
+include the variable `Sanitize.RELATIVE` in the protocol array:
+
+    protocols: {
+        a: { href: ['http', 'https', Sanitize.RELATIVE]}
+    }
+
+Note however, that the HTML parser of Internet Explorer automatically converts
+relative URLs into absolute URLs with http protocol.
+
+#### remove_contents (boolean or Array)
+
+If set to `true`, Sanitize will remove the contents of any non-whitelisted
+elements in addition to the elements themselves. By default, Sanitize leaves the
+safe parts of an element's contents behind when the element is removed.
+
+If set to an Array of element names, then only the contents of the specified
+elements (when filtered) will be removed, and the contents of all other filtered
+elements will be left behind.
+
+The default value is `false`.
+
+#### transformers (Array)
+
+See below.
+
+### Transformers
+
+Transformers allow you to filter and alter nodes using your own custom logic, on
+top of (or instead of) Sanitize's core filter. A transformer is a function that
+returns either `null` or an Object containing certain optional response values.
+
+To use one or more transformers, pass them to the `transformers` config setting:
+
+    var s = new Sanitize({ transformers: [transformer_one, transformer_two]});
+
+#### Input
+
+Each registered transformer function will be called once for
+each element node in the HTML, and will receive as an argument an environment
+Object that contains the following items:
+
+`allowed_elements`
+:  Object with whitelisted element names as keys, to facilitate fast lookups of
+   whitelisted elements.
+
+`config`
+:  The current Sanitize configuration Hash.
+
+`dom`
+:  A DOM document object. 
+
+`node`
+  A DOM node object representing an HTML element.
+
+`node_name`
+:  The name of the current HTML node, always lowercase (e.g. "div" or "span").
+
+`whitelist_nodes`
+:  Array of DOM nodes that have already been whitelisted by
+   previous transformers, if any.
+
+#### Processing
+
+Each transformer has full access to the DOM node that's passed into it and to
+the rest of the document via the node's DOM methods method. Any changes will
+be passed on to subsequently-called transformers and to Sanitize itself. A
+transformer may even call Sanitize internally to perform custom sanitization
+if needed. Nodes are passed into transformers in the order in which they're
+traversed.
+
+Transformers have a tremendous amount of power, including the power to
+completely bypass Sanitize's built-in filtering. Be careful!
+
+#### Output
+
+A transformer may return either `null` or an Object. A return value of `null`
+indicates that the transformer does not wish to act on the current node in any
+way. A returned Object may contain the following items, all of which are optional:
+
+`attr_whitelist`
+:  Array of attribute names to add to the whitelist for the current node, in
+   addition to any whitelisted attributes already defined in the current config.
+
+`node`
+:  DOM node object that should replace the current node. All
+   subsequent transformers and Sanitize itself will receive this new node.
+
+`whitelist`
+:  If `true`, the current node (and only the current node) will be whitelisted,
+   regardless of the current Sanitize config.
+
+`whitelist_nodes`
+:  Array of specific DOM node objects to whitelist, anywhere in the
+   document, regardless of the current Sanitize config.
+
+## Known Bugs and Limitations
+* The `style` attribute is always dropped on Internet Explorer 5-7. 
+* Internet Explorer always converts relative URL values to absolute URLs.
+
+## Contributors
+
+The following lovely people have contributed to Sanitize in the form of patches
+or ideas that later became code:
+
+* Gabriel Birke <gabriel@lebenplusplus.de>
+* Ryan Grove <ryan@wonko.com> - Original author of the Ruby Sanitize library
+
+## License
+
+Copyright (c) 2010 Gabriel Birke <gabriel@lebenplusplus.de>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of
+this software and associated documentation files (the 'Software'), to deal in
+the Software without restriction, including without limitation the rights to
+use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+the Software, and to permit persons to whom the Software is furnished to do so,
+subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/Rakefile

@@ -0,0 +1 @@
+require "bundler/gem_tasks"

data/lib/rails-sanitize-js.rb

@@ -0,0 +1,9 @@
+require "rails-sanitize-js/version"
+
+module RailsSanitizeJs
+  if defined? ::Rails::Engine
+    require "rails-sanitize-js/engine"
+  else
+    puts "You should use Rails 3.1+ and higher with rails-sanitize-js!"
+  end
+end

data/lib/rails-sanitize-js/engine.rb

@@ -0,0 +1,4 @@
+module RailsSanitizeJs
+  class Engine < ::Rails::Engine
+  end
+end

data/lib/rails-sanitize-js/version.rb

@@ -0,0 +1,3 @@
+module RailsSanitizeJs
+  VERSION = "1.0.0"
+end

data/rails-sanitize-js.gemspec

@@ -0,0 +1,19 @@
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'rails-sanitize-js/version'
+
+# Describe your gem and declare its dependencies:
+Gem::Specification.new do |spec|
+  spec.name      = "rails-sanitize-js"
+  spec.version   = RailsSanitizeJs::VERSION
+  spec.authors  = ["Gabriel Birke", "Nick Chernyshev"]
+  spec.email    = ["nick.chernyshev@gmail.com"]
+
+  spec.summary   = "Sanitize.js for rails assets"
+  spec.description = "Add Sanitize.js into your asset pipeline."
+  spec.homepage    = "https://github.com/flowerett/rails-sanitize-js"
+  spec.license   = "MIT"
+
+  spec.files         = `git ls-files -z`.split("\x0")
+  spec.require_paths = ["lib"]
+end

data/vendor/assets/javascripts/sanitize.js

@@ -0,0 +1,260 @@
+/**
+ * Copyright (c) 2010 by Gabriel Birke
+ * 
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the 'Software'), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ * 
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ * 
+ * THE SOFTWARE IS PROVIDED 'AS IS', WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+function Sanitize(){
+  var i, e, options;
+  options = arguments[0] || {};
+  this.config = {};
+  this.config.elements = options.elements ? options.elements : [];
+  this.config.attributes = options.attributes ? options.attributes : {};
+  this.config.attributes[Sanitize.ALL] = this.config.attributes[Sanitize.ALL] ? this.config.attributes[Sanitize.ALL] : [];
+  this.config.allow_comments = options.allow_comments ? options.allow_comments : false;
+  this.allowed_elements = {};
+  this.config.protocols = options.protocols ? options.protocols : {};
+  this.config.add_attributes = options.add_attributes ? options.add_attributes  : {};
+  this.dom = options.dom ? options.dom : document;
+  for(i=0;i<this.config.elements.length;i++) {
+    this.allowed_elements[this.config.elements[i]] = true;
+  }
+  this.config.remove_element_contents = {};
+  this.config.remove_all_contents = false;
+  if(options.remove_contents) {
+    
+    if(options.remove_contents instanceof Array) {
+      for(i=0;i<options.remove_contents.length;i++) {
+        this.config.remove_element_contents[options.remove_contents[i]] = true;
+      }
+    }
+    else {
+      this.config.remove_all_contents = true;
+    }
+  }
+  this.transformers = options.transformers ? options.transformers : [];
+}
+
+Sanitize.REGEX_PROTOCOL = /^([A-Za-z0-9\+\-\.\&\;\*\s]*?)(?:\:|&*0*58|&*x0*3a)/i;
+
+// emulate Ruby symbol with string constant
+Sanitize.RELATIVE = '__RELATIVE__';
+Sanitize.ALL = '__ALL__';
+
+Sanitize.prototype.clean_node = function(container) {
+  var fragment = this.dom.createDocumentFragment();
+  this.current_element = fragment;
+  this.whitelist_nodes = [];
+
+  
+
+  /**
+   * Utility function to check if an element exists in an array
+   */
+  function _array_index(needle, haystack) {
+    var i;
+    for(i=0; i < haystack.length; i++) {
+      if(haystack[i] == needle) 
+        return i;
+    }
+    return -1;
+  }
+  
+  function _merge_arrays_uniq() {
+    var result = [];
+    var uniq_hash = {};
+    var i,j;
+    for(i=0;i<arguments.length;i++) {
+      if(!arguments[i] || !arguments[i].length)
+        continue;
+      for(j=0;j<arguments[i].length;j++) {
+        if(uniq_hash[arguments[i][j]])
+          continue;
+        uniq_hash[arguments[i][j]] = true;
+        result.push(arguments[i][j]);
+      }
+    }
+    return result;
+  }
+  
+  /**
+   * Clean function that checks the different node types and cleans them up accordingly
+   * @param elem DOM Node to clean
+   */
+  function _clean(elem) {
+    var clone;
+    switch(elem.nodeType) {
+      // Element
+      case 1:
+        _clean_element.call(this, elem);
+        break;
+      // Text
+      case 3:
+        clone = elem.cloneNode(false);
+        this.current_element.appendChild(clone);
+        break;
+      // Entity-Reference (normally not used)
+      case 5:
+        clone = elem.cloneNode(false);
+        this.current_element.appendChild(clone);
+        break;
+      // Comment
+      case 8:
+        if(this.config.allow_comments) {
+          clone = elem.cloneNode(false);
+          this.current_element.appendChild(clone);
+        }
+        break;
+      default:
+        if (console && console.log) console.log("unknown node type", elem.nodeType);
+        break;
+    }
+ 
+  }
+  
+  function _clean_element(elem) {
+    var i, j, clone, parent_element, name, allowed_attributes, attr, attr_name, attr_node, protocols, del, attr_ok;
+    var transform = _transform_element.call(this, elem);
+    
+    elem = transform.node;
+    name = elem.nodeName.toLowerCase();
+    
+    // check if element itself is allowed
+    parent_element = this.current_element;
+    if(this.allowed_elements[name] || transform.whitelist) {
+        this.current_element = this.dom.createElement(elem.nodeName);
+        parent_element.appendChild(this.current_element);
+        
+      // clean attributes
+      var attrs = this.config.attributes;
+      allowed_attributes = _merge_arrays_uniq(attrs[name], attrs[Sanitize.ALL], transform.attr_whitelist);
+      for(i=0;i<allowed_attributes.length;i++) {
+        attr_name = allowed_attributes[i];
+        attr = elem.attributes[attr_name];
+        if(attr) {
+            attr_ok = true;
+            // Check protocol attributes for valid protocol
+            if(this.config.protocols[name] && this.config.protocols[name][attr_name]) {
+              protocols = this.config.protocols[name][attr_name];
+              del = attr.value.toLowerCase().match(Sanitize.REGEX_PROTOCOL);
+              if(del) {
+                attr_ok = (_array_index(del[1], protocols) != -1);
+              }
+              else {
+                attr_ok = (_array_index(Sanitize.RELATIVE, protocols) != -1);
+              }
+            }
+            if(attr_ok) {
+              attr_node = document.createAttribute(attr_name);
+              attr_node.value = attr.value;
+              this.current_element.setAttributeNode(attr_node);
+            }
+        }
+      }
+      
+      // Add attributes
+      if(this.config.add_attributes[name]) {
+        for(attr_name in this.config.add_attributes[name]) {
+          attr_node = document.createAttribute(attr_name);
+          attr_node.value = this.config.add_attributes[name][attr_name];
+          this.current_element.setAttributeNode(attr_node);
+        }
+      }
+    } // End checking if element is allowed
+    // If this node is in the dynamic whitelist array (built at runtime by
+    // transformers), let it live with all of its attributes intact.
+    else if(_array_index(elem, this.whitelist_nodes) != -1) {
+      this.current_element = elem.cloneNode(true);
+      // Remove child nodes, they will be sanitiazied and added by other code
+      while(this.current_element.childNodes.length > 0) {
+        this.current_element.removeChild(this.current_element.firstChild);
+      }
+      parent_element.appendChild(this.current_element);
+    }
+
+    // iterate over child nodes
+    if(!this.config.remove_all_contents && !this.config.remove_element_contents[name]) {
+      for(i=0;i<elem.childNodes.length;i++) {
+        _clean.call(this, elem.childNodes[i]);
+      }
+    }
+    
+    // some versions of IE don't support normalize.
+    if(this.current_element.normalize) {
+      this.current_element.normalize();
+    }
+    this.current_element = parent_element;
+  } // END clean_element function
+  
+  function _transform_element(node) {
+    var output = {
+      attr_whitelist:[],
+      node: node,
+      whitelist: false
+    };
+    var i, j, transform;
+    for(i=0;i<this.transformers.length;i++) {
+      transform = this.transformers[i]({
+        allowed_elements: this.allowed_elements,
+        config: this.config,
+        node: node,
+        node_name: node.nodeName.toLowerCase(),
+        whitelist_nodes: this.whitelist_nodes,
+        dom: this.dom
+      });
+      if (transform == null) 
+        continue;
+      else if(typeof transform == 'object') {
+        if(transform.whitelist_nodes && transform.whitelist_nodes instanceof Array) {
+          for(j=0;j<transform.whitelist_nodes.length;j++) {
+            if(_array_index(transform.whitelist_nodes[j], this.whitelist_nodes) == -1) {
+              this.whitelist_nodes.push(transform.whitelist_nodes[j]);
+            }
+          }
+        }
+        output.whitelist = transform.whitelist ? true : false;
+        if(transform.attr_whitelist) {
+          output.attr_whitelist = _merge_arrays_uniq(output.attr_whitelist, transform.attr_whitelist);
+        }
+        output.node = transform.node ? transform.node : output.node;
+      }
+      else {
+        throw new Error("transformer output must be an object or null");
+      }
+    }
+    return output;
+  }
+  
+  
+  
+  for(i=0;i<container.childNodes.length;i++) {
+    _clean.call(this, container.childNodes[i]);
+  }
+  
+  if(fragment.normalize) {
+    fragment.normalize();
+  }
+  
+  return fragment;
+  
+};
+
+if ( typeof define === "function" ) {
+  define( "sanitize", [], function () { return Sanitize; } );
+}

data/vendor/assets/javascripts/sanitize/config/basic.js

@@ -0,0 +1,27 @@
+if(!Sanitize.Config) {
+  Sanitize.Config = {}
+}
+
+Sanitize.Config.BASIC = {
+  elements: [
+     'a', 'b', 'blockquote', 'br', 'cite', 'code', 'dd', 'dl', 'dt', 'em',
+     'i', 'li', 'ol', 'p', 'pre', 'q', 'small', 'strike', 'strong', 'sub',
+     'sup', 'u', 'ul'],
+
+   attributes: {
+     'a'         : ['href'],
+     'blockquote': ['cite'],
+     'q'         : ['cite']
+   },
+
+   add_attributes: {
+     'a': {'rel': 'nofollow'}
+   },
+
+   protocols: {
+     'a'         : {'href': ['ftp', 'http', 'https', 'mailto',
+                                 Sanitize.RELATIVE]},
+     'blockquote': {'cite': ['http', 'https', Sanitize.RELATIVE]},
+     'q'         : {'cite': ['http', 'https', Sanitize.RELATIVE]}
+   }
+}

data/vendor/assets/javascripts/sanitize/config/relaxed.js

@@ -0,0 +1,35 @@
+if(!Sanitize.Config) {
+  Sanitize.Config = {}
+}
+
+Sanitize.Config.RELAXED = {
+  elements: [
+    'a', 'b', 'blockquote', 'br', 'caption', 'cite', 'code', 'col',
+    'colgroup', 'dd', 'dl', 'dt', 'em', 'h1', 'h2', 'h3', 'h4', 'h5', 'h6',
+    'i', 'img', 'li', 'ol', 'p', 'pre', 'q', 'small', 'strike', 'strong',
+    'sub', 'sup', 'table', 'tbody', 'td', 'tfoot', 'th', 'thead', 'tr', 'u',
+    'ul'],
+
+  attributes: {
+    'a'         : ['href', 'title'],
+    'blockquote': ['cite'],
+    'col'       : ['span', 'width'],
+    'colgroup'  : ['span', 'width'],
+    'img'       : ['align', 'alt', 'height', 'src', 'title', 'width'],
+    'ol'        : ['start', 'type'],
+    'q'         : ['cite'],
+    'table'     : ['summary', 'width'],
+    'td'        : ['abbr', 'axis', 'colspan', 'rowspan', 'width'],
+    'th'        : ['abbr', 'axis', 'colspan', 'rowspan', 'scope',
+                     'width'],
+    'ul'        : ['type']
+  },
+
+  protocols: {
+    'a'         : {'href': ['ftp', 'http', 'https', 'mailto',
+                                Sanitize.RELATIVE]},
+    'blockquote': {'cite': ['http', 'https', Sanitize.RELATIVE]},
+    'img'       : {'src' : ['http', 'https', Sanitize.RELATIVE]},
+    'q'         : {'cite': ['http', 'https', Sanitize.RELATIVE]}
+  }
+}

data/vendor/assets/javascripts/sanitize/config/restricted.js

@@ -0,0 +1,7 @@
+if(!Sanitize.Config) {
+  Sanitize.Config = {}
+}
+
+Sanitize.Config.RESTRICTED = {
+  elements: ['b', 'em', 'i', 'strong', 'u']       
+}

metadata

@@ -0,0 +1,58 @@
+--- !ruby/object:Gem::Specification
+name: rails-sanitize-js
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Gabriel Birke
+- Nick Chernyshev
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2015-06-19 00:00:00.000000000 Z
+dependencies: []
+description: Add Sanitize.js into your asset pipeline.
+email:
+- nick.chernyshev@gmail.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- Gemfile
+- MIT-LICENSE
+- README.md
+- Rakefile
+- lib/rails-sanitize-js.rb
+- lib/rails-sanitize-js/engine.rb
+- lib/rails-sanitize-js/version.rb
+- rails-sanitize-js.gemspec
+- vendor/assets/javascripts/sanitize.js
+- vendor/assets/javascripts/sanitize/config/basic.js
+- vendor/assets/javascripts/sanitize/config/relaxed.js
+- vendor/assets/javascripts/sanitize/config/restricted.js
+homepage: https://github.com/flowerett/rails-sanitize-js
+licenses:
+- MIT
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.4.6
+signing_key: 
+specification_version: 4
+summary: Sanitize.js for rails assets
+test_files: []