I'm working on a Rails application and I would like to know what's the best way to strip blocks of CSS or JavaScript.
<style>
...
</style>
-or-
<script>
...
</script>
I'm using the *strip_tags* helper to take care of most of the HTML, but it leaves a bunch of CSS when the content contains inline CSS. Thanks
The recommended way to do this is using the sanitize method. The strip_tags method is somewhat limited and less secure:
[strip_tags] Strips all HTML tags from the html, including comments. This uses the html-scanner tokenizer and so its HTML parsing ability is limited by that of html-scanner.
If you use sanitize, you will be much more secure, just come up with a white list of tags you intend to allow first.
If you need user-provided CSS for your application, you can try using http://github.com/courtenay/css_file_sanitize/tree/master as well.
Try to use Nokogiri library:
require 'nokogiri'
str = " ... " # some html from user
doc = Nokogiri::HTML(str)
doc.css("style,script").remove # remove all tags with content
new_string = doc.to_s
Nokogiri can much more, but this is what you asked for in questions :-)