phoenix_html_sanitizer provides a simple way to sanitize user input in your Phoenix app.

It is extracted from the elixirstatus.com project, where it is used to sanitize user annoucements from around the Elixir community.

phoenix_html_sanitizer parses a given HTML string and either completely strips it from HTML tags or sanitizes it by only allowing certain HTML elements and attributes to be present. It depends on html_sanitize_ex to do this.

Add phoenix_html_sanitizer as a dependency in your mix.exs file.

defp deps do
  [
    # ...
    {:phoenix_html_sanitizer, "~> 1.1"}
  ]
end

After you are done, run mix deps.get in your shell.

To include the Sanitizer into all your views, you can add it to your web.ex file:

    def view do
      quote do
        use Phoenix.View, root: "web/templates"

        [snip]

        # Use all HTML functionality (forms, tags, etc)
        use Phoenix.HTML
        use PhoenixHtmlSanitizer, :basic_html         <-------- add this line
      end
    end

You have to set one of three base modes here:

• :strip_tags - all tags are stripped from the input.
• :basic_html - some basic HTML tags are allowed. This is great for allowing basic usages of HTML for sites like online forums and it works great in combination with a Markdown parser.
• :full_html - all HTML5 tags are allowed and sanitized.

After you included PhoenixHtmlSanitizer into your web.ex, it will provide two functions in your views:

• sanitize/1 uses the defined base mode,
• sanitize/2 takes the mode as second parameter.

sanitize can strip all tags from the given string:

    text = "<a href=\"javascript:alert('XSS');\">text here</a>"
    sanitize(text, :strips_tags)
    # => {:safe, "text here"}

Or allow certain basic HTML elements to remain:

    text = "<h1>Hello <script>World!</script></h1>"
    sanitize(text, :basic_html)
    # => {:safe, "<h1>Hello World!</h1>"}

    text = "<header>Hello <script>World!</script></header>"
    sanitize(text, :full_html)
    # => {:safe, "<header>Hello World!</header>"}

Notice how the output follows the Phoenix.HTML.Safe protocol.

Thus both sanitize/1 and sanitize/2 can be used directly in your views:

<%= sanitize "<h1>Hello <script>World!</script></h1>" %>

This prints <h1>Hello World!</h1> into your eex template.

1. Fork it!
2. Create your feature branch (git checkout -b my-new-feature)
3. Commit your changes (git commit -am 'Add some feature')
4. Push to the branch (git push origin my-new-feature)
5. Create new Pull Request

René Föhring (@rrrene)

phoenix_html_sanitizer is released under the MIT License. See the LICENSE file for further details.