Ignoring Symbols

[aljadepalaran]

Is there a way to ignore specific symbols when running Sanitize.fragment(value). I am attempting to sanitize a string with ampersand and it changes it to &.

[flavorjones]

Without knowing what your input string is, I'm going to make an assumption that your input string contains a bare &. libxml2 and libgumbo (which underly Nokogiri, which underlies Sanitize) will correct a bare & to the HTML entity:

#! /usr/bin/env ruby

require "nokogiri"

frag = Nokogiri::HTML5.fragment("<div>this & that</div>")
frag.to_html # => "<div>this &amp; that</div>"

libxml2 does not allow configuration of how the core HTML entities like <, >, and & are serialized, which is the right thing to do if you want to emit properly-formed HTML.

Can you tell us a bit more about your use case? Are you trying to sanitize plaintext, or is it truly HTML markup content? If it's plaintext you may be able to use Loofah which provides an opt-in feature that outputs unescaped entities (for example, if you're sending text via SMS you don't want & you want &).

[aljadepalaran]

Yes, I am attempting to sanitize plain text. I have a text field where the user answers a question and I would like to sanitize that input. Essentially sanitize but allow & to show up as &, not &. I will have a look at using Loofah. Thanks!

[flavorjones]

Here's an example of how to do what I described above:

#! /usr/bin/env ruby

require "loofah"

frag = Loofah.fragment("<div>this & that</div>").scrub!(:prune)

frag.text
# => "this &amp; that"

frag.text(encode_special_chars: false)
# => "this & that"

Please take care that you never specify encode_special_chars: false on a string that's going to be rendered in an HTML browser, because that will open your users up to XSS attacks.

[aljadepalaran]

I looked into it further and decided to not pursue it further, and instead changed & and 'and'. Thanks for the help :)