Constants
CLOSE_CDATA_COMMENT | = | "<!-- </textarea></xmp> -->".html_safe.freeze |
Close any open tags that support CDATA (textarea, xmp) before each form tag. This prevents attackers from injecting unclosed tags that could capture form contents. For example, an attacker might inject:
The HTML following this tag, up until the next |
||
CLOSE_FORM_TAG | = | "</form>".html_safe.freeze |
Close any open form tags before each new form tag. This prevents attackers from injecting unclosed forms that could leak markup offsite. For example, an attacker might inject:
The form elements following this tag, up until the next |
||
CLOSE_OPTION_TAG | = | "</option>".html_safe.freeze |
Close any open option tags before each form tag. This prevents attackers from injecting unclosed options that could leak markup offsite. For example, an attacker might inject:
The HTML following this tag, up until the next |
||
CLOSE_QUOTES_COMMENT | = | %q(<!-- '"` -->).html_safe.freeze |
Close any open attributes before each form tag. This prevents attackers from injecting partial tags that could leak markup offsite. For example, an attacker might inject:
The HTML following this tag, up until the next single quote would be sent to |
||
CONTENT_EXFILTRATION_PREVENTION_MARKUP | = | (CLOSE_QUOTES_COMMENT + CLOSE_CDATA_COMMENT + CLOSE_OPTION_TAG + CLOSE_FORM_TAG).freeze |