# Phoenix HTML Sanitizer

`phoenix_html_sanitizer` provides a simple way to sanitize user input in your Phoenix app.

It is extracted from the []( project, where it is used to sanitize user annoucements from around the Elixir community.

## What can it do?

`phoenix_html_sanitizer` parses a given HTML string and either completely strips it from HTML tags or sanitizes it by only allowing certain HTML elements and attributes to be present. It depends on [html_sanitize_ex]( to do this.

## Installation

Add phoenix_html_sanitizer as a dependency in your `mix.exs` file.

defp deps do
    # ...
    {:phoenix_html_sanitizer, "~> 0.1.0"}

After you are done, run `mix deps.get` in your shell.

To include the Sanitizer into all your views, you can add it to your `web.ex`

    def view do
      quote do
        use Phoenix.View, root: "web/templates"


        # Use all HTML functionality (forms, tags, etc)
        use Phoenix.HTML
        use Phoenix.HTML.Sanitizer, :basic_html         <-------- add this line

You have to set one of three base modes here:

* `:strip_tags` - all tags are stripped from the input.
* `:basic_html` - some basic HTML tags are allowed. This is great for allowing basic usages of HTML for sites like online forums and it works great in combination with a Markdown parser.
* `:full_html` - all HTML5 tags are allowed and sanitized.

After you included `Phoenix.HTML.Sanitizer` into your `web.ex`, it will provide
two functions in your views:

* `sanitize/1` uses the defined base mode,
* `sanitize/2` takes the mode as second parameter.

## Usage in views

`sanitize` can strip all tags from the given string:

    text = "<a href=\"javascript:alert('XSS');\">text here</a>"
    sanitize(text, :strips_tags)
    # => {:safe, "text here"}

Or allow certain basic HTML elements to remain:

    text = "<h1>Hello <script>World!</script></h1>"
    sanitize(text, :basic_html)
    # => {:safe, "<h1>Hello World!</h1>"}

    text = "<header>Hello <script>World!</script></header>"
    sanitize(text, :full_html)
    # => {:safe, "<header>Hello World!</header>"}

Notice how the output follows the Phoenix.HTML.Safe protocol.

Thus both `sanitize/1` and `sanitize/2` can be used directly in your views:

    <%= sanitize "<h1>Hello <script>World!</script></h1>" %>

This prints `<h1>Hello World!</h1>` into your `eex` template.

## Contributing

1. [Fork it!](
2. Create your feature branch (`git checkout -b my-new-feature`)
3. Commit your changes (`git commit -am 'Add some feature'`)
4. Push to the branch (`git push origin my-new-feature`)
5. Create new Pull Request

## Author

René Föhring (@rrrene)

## License

phoenix_html_sanitizer is released under the MIT License. See the LICENSE file
for further details.