How to safely sanitize input from TinyMCE in ruby?

I just added TinyMCE to a small CMS I built in Rails. I've been using Redcloth before to sty开发者_开发百科le user generated articles.

Since I started using TinyMCE, I would like to also allow users to embed video (from youtube for ex) into their blog posts.

I'm using the follow helper in the views:

sanitize(text,
        :tags => %w(a object p param h1 h2 h3 h4 h5 h6 br hr ul li img),
        :attributes => %w(href name src type value width height data) )

Is this safe? Or should I not allow those tags? If so, which tags can I allow? How can I test to make sure?

This is still in staging.

Thanks

Deb

You are allowed to use all tags you want using the valid_elements configuration option, check out the default setting you can expand. You may also have a look at the custom_elements option.

For anyone facing the issue of TinyMCE not allowing YouTube embeds in Rails, or stripping out the iFrame embed code - this worked for me in Rails 7, Jan. 2023:

<%= sanitize @post.body, tags: %w( iframe ), attributes: %w(width height src source) %>