How to prevent Rails HTML sanitizer from removing style attribute in a template?

Question

I'm converting ActionText HTML into PDF using Prawn-Markup. I need large images to be scaled down (not resized or cropped), which requires setting the width in the style attribute, which Prawn-Markup then forwards to Prawn.
Unfortunately, the style attribute is removed by Rails' Sanitizer when rendering the template.

# app/views/active_storage/blobs/_blob.html.erb
image_tag blob, style: "width: #{blob.metadata[:whidth]}px"
# => "<img style=\"width: 200px\" src=\"...\" />

# app/views/action_text/content/_layout.html.erb
# => "<img src=\"...\" />

The style attribute needs to be preserved when rendering blobs, but I don't want to disable style sanitization for the entire app.

Any idea how to achieve that?

EDIT: I was able to allow style attributes in actiontext by adding it to the ActionText::Attachment::ATTRIBUTES in an initializer, which works for blobs, but leaves actiontext open to abuse. Still searching…

score 1 · Answer 1 · answered Sep 22 '22 at 16:13

Try:

ActionText::Content::ALLOWED_ATTRIBUTES.add 'style'

Or:

# config/initializers/action_text.rb
# frozen_string_literal: true

# You can also add a check to make sure the style attribute is only allowed for images:

module ActionText
  class Content
    ATTRIBUTES = %w[
      # ...
    ].freeze

    def sanitize
      # ...
      ATTRIBUTES << 'style' if node.name == 'img'
      # ...
    end
  end
end

How to prevent Rails HTML sanitizer from removing style attribute in a template?

1 Answers1