Class Index [+]

Quicksearch

HTML::WhiteListSanitizer

Public Instance Methods

sanitize_css(style) click to toggle source

Sanitizes a block of css code. Used by # when it comes across a style attribute

     # File lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 108
108:     def sanitize_css(style)
109:       # disallow urls
110:       style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
111: 
112:       # gauntlet
113:       if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
114:           style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
115:         return ''
116:       end
117: 
118:       clean = []
119:       style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val|
120:         if allowed_css_properties.include?(prop.downcase)
121:           clean <<  prop + ': ' + val + ';'
122:         elsif shorthand_css_properties.include?(prop.split('-')[0].downcase)
123:           unless val.split().any? do |keyword|
124:             !allowed_css_keywords.include?(keyword) &&
125:               keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
126:           end
127:             clean << prop + ': ' + val + ';'
128:           end
129:         end
130:       end
131:       clean.join(' ')
132:     end

Protected Instance Methods

contains_bad_protocols?(attr_name, value) click to toggle source
     # File lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 172
172:     def contains_bad_protocols?(attr_name, value)
173:       uri_attributes.include?(attr_name) &&
174:       (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first.downcase))
175:     end
process_attributes_for(node, options) click to toggle source
     # File lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 159
159:     def process_attributes_for(node, options)
160:       return unless node.attributes
161:       node.attributes.keys.each do |attr_name|
162:         value = node.attributes[attr_name].to_s
163: 
164:         if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
165:           node.attributes.delete(attr_name)
166:         else
167:           node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
168:         end
169:       end
170:     end
process_node(node, result, options) click to toggle source
     # File lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 142
142:     def process_node(node, result, options)
143:       result << case node
144:         when HTML::Tag
145:           if node.closing == :close
146:             options[:parent].shift
147:           else
148:             options[:parent].unshift node.name
149:           end
150: 
151:           process_attributes_for node, options
152: 
153:           options[:tags].include?(node.name) ? node : nil
154:         else
155:           bad_tags.include?(options[:parent].first) ? nil : node.to_s.gsub(/</, "&lt;")
156:       end
157:     end
tokenize(text, options) click to toggle source
     # File lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 135
135:     def tokenize(text, options)
136:       options[:parent] = []
137:       options[:attributes] ||= allowed_attributes
138:       options[:tags]       ||= allowed_tags
139:       super
140:     end

Disabled; run with --debug to generate this.

[Validate]

Generated with the Darkfish Rdoc Generator 1.1.6.