Methods
Instance Public methods
sanitize_css(style)
Link
Sanitizes a block of css code. Used by sanitize when it comes across a style attribute
# File actionpack/lib/action_view/vendor/html-scanner/html/sanitizer.rb, line 119 def sanitize_css(style) # disallow urls style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ') # gauntlet if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\[\s\w]+\|\"[\s\w]+\"|\([\d,\s]+\))*\z/ || style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/ return '' end clean = [] style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val| if allowed_css_properties.include?(prop.downcase) clean << prop + ': ' + val + ';' elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) unless val.split().any? do |keyword| !allowed_css_keywords.include?(keyword) && keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/ end clean << prop + ': ' + val + ';' end end end clean.join(' ') end
Instance Protected methods
contains_bad_protocols?(attr_name, value)
Link
# File actionpack/lib/action_view/vendor/html-scanner/html/sanitizer.rb, line 183 def contains_bad_protocols?(attr_name, value) uri_attributes.include?(attr_name) && (value =~ /(^[^\/:]*):|(�*58)|(p)|(�*3a)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase.strip)) end
process_attributes_for(node, options)
Link
# File actionpack/lib/action_view/vendor/html-scanner/html/sanitizer.rb, line 170 def process_attributes_for(node, options) return unless node.attributes node.attributes.keys.each do |attr_name| value = node.attributes[attr_name].to_s if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value) node.attributes.delete(attr_name) else node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value)) end end end
process_node(node, result, options)
Link
# File actionpack/lib/action_view/vendor/html-scanner/html/sanitizer.rb, line 153 def process_node(node, result, options) result << case node when HTML::Tag if node.closing == :close options[:parent].shift else options[:parent].unshift node.name end process_attributes_for node, options options[:tags].include?(node.name) ? node : nil else bad_tags.include?(options[:parent].first) ? nil : node.to_s.gsub(/</, "<") end end