Class | HTML::WhiteListSanitizer |
In: |
vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
|
Parent: | Sanitizer |
Sanitizes a block of css code. Used by sanitize when it comes across a style attribute
# File vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 104 104: def sanitize_css(style) 105: # disallow urls 106: style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ') 107: 108: # gauntlet 109: if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ || 110: style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/ 111: return '' 112: end 113: 114: clean = [] 115: style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val| 116: if allowed_css_properties.include?(prop.downcase) 117: clean << prop + ': ' + val + ';' 118: elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) 119: unless val.split().any? do |keyword| 120: !allowed_css_keywords.include?(keyword) && 121: keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/ 122: end 123: clean << prop + ': ' + val + ';' 124: end 125: end 126: end 127: clean.join(' ') 128: end
# File vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 168 168: def contains_bad_protocols?(attr_name, value) 169: uri_attributes.include?(attr_name) && 170: (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first)) 171: end
# File vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 155 155: def process_attributes_for(node, options) 156: return unless node.attributes 157: node.attributes.keys.each do |attr_name| 158: value = node.attributes[attr_name].to_s 159: 160: if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value) 161: node.attributes.delete(attr_name) 162: else 163: node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value)) 164: end 165: end 166: end
# File vendor/rails/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 138 138: def process_node(node, result, options) 139: result << case node 140: when HTML::Tag 141: if node.closing == :close 142: options[:parent].shift 143: else 144: options[:parent].unshift node.name 145: end 146: 147: process_attributes_for node, options 148: 149: options[:tags].include?(node.name) ? node : nil 150: else 151: bad_tags.include?(options[:parent].first) ? nil : node.to_s.gsub(/</, "<") 152: end 153: end