Why are "tel:" links removed in sanitization, and how to allow them

Question

I am using Rails sanitize helper to clean up input text from users, that may be formatted as markdown.

I noticed that the method strips down tel: links, and I wonder why, and how can I allow them.

>> sanitize("<a href='http://123'>click</a>")
=> "<a href=\"http://123\">click</a>"
>> sanitize("<a href='tel:123'>click</a>")
=> "<a>click</a>"

Of course, I have tried figuring it out from the page linked above, but was unable to. I would prefer to avoid writing a "scrubber" class, or any other class for that simple task.

I have also tried what I think means "allow all hrefs" but it did not have any effect (even after restarting the server).

# In config/application.rb
config.action_view.sanitized_allowed_attributes = ['href']

Answer 1

In Rails 4, Loofah is being used for sanitizing HTML. To know more please visit this link.

Rails team extracted this feature into separate gem.

If you check this line, Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS doesnt have tel in their list, thus it is being striped off from anchor tags.

Solution:

1. Create an initializer that would add tel to above set of protocols.

   Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS.add('tel')

2. Restart app and this should work.