Sanitizes a block of css code. Used by # when it comes across a style attribute
# File lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 108 108: def sanitize_css(style) 109: # disallow urls 110: style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ') 111: 112: # gauntlet 113: if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ || 114: style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/ 115: return '' 116: end 117: 118: clean = [] 119: style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val| 120: if allowed_css_properties.include?(prop.downcase) 121: clean << prop + ': ' + val + ';' 122: elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) 123: unless val.split().any? do |keyword| 124: !allowed_css_keywords.include?(keyword) && 125: keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/ 126: end 127: clean << prop + ': ' + val + ';' 128: end 129: end 130: end 131: clean.join(' ') 132: end
# File lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 172 172: def contains_bad_protocols?(attr_name, value) 173: uri_attributes.include?(attr_name) && 174: (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase)) 175: end
# File lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 159 159: def process_attributes_for(node, options) 160: return unless node.attributes 161: node.attributes.keys.each do |attr_name| 162: value = node.attributes[attr_name].to_s 163: 164: if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value) 165: node.attributes.delete(attr_name) 166: else 167: node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value)) 168: end 169: end 170: end
# File lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 142 142: def process_node(node, result, options) 143: result << case node 144: when HTML::Tag 145: if node.closing == :close 146: options[:parent].shift 147: else 148: options[:parent].unshift node.name 149: end 150: 151: process_attributes_for node, options 152: 153: options[:tags].include?(node.name) ? node : nil 154: else 155: bad_tags.include?(options[:parent].first) ? nil : node.to_s.gsub(/</, "<") 156: end 157: end
Disabled; run with --debug to generate this.
Generated with the Darkfish Rdoc Generator 1.1.6.