HTML::WhiteListSanitizer (original) (raw)

Methods

C

• contains_bad_protocols?

P

• process_attributes_for,
• process_node

S

• sanitize_css

T

• tokenize

Instance Public methods

sanitize_css(style)

Sanitizes a block of css code. Used by HTML::Sanitizer#sanitize when it comes across a style attribute

Source: show

def sanitize_css(style)

style = style.to_s.gsub(/url\s(\s[^\s)]+?\s)\s/, ' ')

if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|'[\s\w]+'|"[\s\w]+"|([\d,\s]+))$/ || style !~ /^(\s[-\w]+\s*:\s*[^:;](;|$)\s)*$/ return '' end

clean = [] style.scan(/([-\w]+)\s*:\s*([^:;])/) do |prop,val| if allowed_css_properties.include?(prop.downcase) clean << prop + ': ' + val + ';' elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) unless val.split().any? do |keyword| !allowed_css_keywords.include?(keyword) && keyword !~ /^(#[0-9a-f]+|rgb(\d+%?,\d%?,?\d*%?)?|\d{0,2}.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|))?)$/ end clean << prop + ': ' + val + ';' end end end clean.join(' ') end

Instance Protected methods

contains_bad_protocols?(attr_name, value)

Source: show

def contains_bad_protocols?(attr_name, value) uri_attributes.include?(attr_name) && (value =~ /(^[^/:]):|(&#058)|(&#x70)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase)) end

process_attributes_for(node, options)

Source: show

def process_attributes_for(node, options) return unless node.attributes node.attributes.keys.each do |attr_name| value = node.attributes[attr_name].to_s

if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
  node.attributes.delete(attr_name)
else
  node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
end

end end

process_node(node, result, options)

Source: show

def process_node(node, result, options) result << case node when HTML::Tag if node.closing == :close options[:parent].shift else options[:parent].unshift node.name end

  process_attributes_for node, options

  options[:tags].include?(node.name) ? node : nil
else
  bad_tags.include?(options[:parent].first) ? nil : node.to_s.gsub(/</, "&lt;")

end end

tokenize(text, options)

Source: show

def tokenize(text, options) options[:parent] = [] options[:attributes] ||= allowed_attributes options[:tags] ||= allowed_tags super end