Class HTML::WhiteListSanitizer
In: vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
Parent: Sanitizer

Methods

Public Instance methods

Sanitizes a block of css code. Used by sanitize when it comes across a style attribute

[Source]

     # File vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 104
104:     def sanitize_css(style)
105:       # disallow urls
106:       style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')
107: 
108:       # gauntlet
109:       if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
110:           style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
111:         return ''
112:       end
113: 
114:       clean = []
115:       style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val|
116:         if allowed_css_properties.include?(prop.downcase)
117:           clean <<  prop + ': ' + val + ';'
118:         elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) 
119:           unless val.split().any? do |keyword|
120:             !allowed_css_keywords.include?(keyword) && 
121:               keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
122:           end
123:             clean << prop + ': ' + val + ';'
124:           end
125:         end
126:       end
127:       clean.join(' ')
128:     end

Protected Instance methods

[Source]

     # File vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 168
168:     def contains_bad_protocols?(attr_name, value)
169:       uri_attributes.include?(attr_name) && 
170:       (value =~ /(^[^\/:]*):|(&#0*58)|(&#x70)|(%|&#37;)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first))
171:     end

[Source]

     # File vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 155
155:     def process_attributes_for(node, options)
156:       return unless node.attributes
157:       node.attributes.keys.each do |attr_name|
158:         value = node.attributes[attr_name].to_s
159: 
160:         if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
161:           node.attributes.delete(attr_name)
162:         else
163:           node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
164:         end
165:       end
166:     end

[Source]

     # File vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 138
138:     def process_node(node, result, options)
139:       result << case node
140:         when HTML::Tag
141:           if node.closing == :close
142:             options[:parent].shift
143:           else
144:             options[:parent].unshift node.name
145:           end
146:           
147:           process_attributes_for node, options
148: 
149:           options[:tags].include?(node.name) ? node : nil
150:         else
151:           bad_tags.include?(options[:parent].first) ? nil : node.to_s.gsub(/</, "&lt;")
152:       end
153:     end

[Source]

     # File vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 131
131:     def tokenize(text, options)
132:       options[:parent] = []
133:       options[:attributes] ||= allowed_attributes
134:       options[:tags]       ||= allowed_tags
135:       super
136:     end

[Validate]