aboutsummaryrefslogtreecommitdiffstats
path: root/actionview/lib/action_view/helpers/sanitize_helper.rb
diff options
context:
space:
mode:
authorTimm <kaspth@gmail.com>2013-06-12 15:59:34 +0200
committerTimm <kaspth@gmail.com>2014-06-11 17:53:28 +0200
commitc94e24fbe7bcdf605cafcfabdf97454d1e1e0685 (patch)
treec87092cfabcbb09f8351722b6127dc7d37c87a8f /actionview/lib/action_view/helpers/sanitize_helper.rb
parent47baab0c415690aeb71ef3bc4831a462d8ead47b (diff)
downloadrails-c94e24fbe7bcdf605cafcfabdf97454d1e1e0685.tar.gz
rails-c94e24fbe7bcdf605cafcfabdf97454d1e1e0685.tar.bz2
rails-c94e24fbe7bcdf605cafcfabdf97454d1e1e0685.zip
Added Loofah as a dependency in actionview.gemspec.
Implemented ActionView: FullSanitizer, LinkSanitizer and WhiteListSanitizer in sanitizers.rb. Deprecated protocol_separator and bad_tags. Added new tests in sanitizers_test.rb and reimplemented assert_dom_equal with Loofah.
Diffstat (limited to 'actionview/lib/action_view/helpers/sanitize_helper.rb')
-rw-r--r--actionview/lib/action_view/helpers/sanitize_helper.rb47
1 files changed, 24 insertions, 23 deletions
diff --git a/actionview/lib/action_view/helpers/sanitize_helper.rb b/actionview/lib/action_view/helpers/sanitize_helper.rb
index 049af275b6..66894b5936 100644
--- a/actionview/lib/action_view/helpers/sanitize_helper.rb
+++ b/actionview/lib/action_view/helpers/sanitize_helper.rb
@@ -1,5 +1,5 @@
require 'active_support/core_ext/object/try'
-require 'action_view/vendor/html-scanner'
+require 'action_view/helpers/sanitize_helper/sanitizers'
module ActionView
# = Action View Sanitize Helpers
@@ -65,9 +65,9 @@ module ActionView
self.class.white_list_sanitizer.sanitize_css(style)
end
- # Strips all HTML tags from the +html+, including comments. This uses the
- # html-scanner tokenizer and so its HTML parsing ability is limited by
- # that of html-scanner.
+ # Strips all HTML tags from the +html+, including comments. This uses
+ # Nokogiri for tokenization (via Loofah) and so its HTML parsing ability
+ # is limited by that of Nokogiri.
#
# strip_tags("Strip <i>these</i> tags!")
# # => Strip these tags!
@@ -134,11 +134,7 @@ module ActionView
white_list_sanitizer.allowed_protocols
end
- def sanitized_protocol_separator=(value)
- white_list_sanitizer.protocol_separator = value
- end
-
- # Gets the HTML::FullSanitizer instance used by +strip_tags+. Replace with
+ # Gets the ActionView::FullSanitizer instance used by +strip_tags+. Replace with
# any object that responds to +sanitize+.
#
# class Application < Rails::Application
@@ -146,21 +142,21 @@ module ActionView
# end
#
def full_sanitizer
- @full_sanitizer ||= HTML::FullSanitizer.new
+ @full_sanitizer ||= ActionView::FullSanitizer.new
end
- # Gets the HTML::LinkSanitizer instance used by +strip_links+. Replace with
- # any object that responds to +sanitize+.
+ # Gets the ActionView::LinkSanitizer instance used by +strip_links+.
+ # Replace with any object that responds to +sanitize+.
#
# class Application < Rails::Application
# config.action_view.link_sanitizer = MySpecialSanitizer.new
# end
#
def link_sanitizer
- @link_sanitizer ||= HTML::LinkSanitizer.new
+ @link_sanitizer ||= ActionView::LinkSanitizer.new
end
- # Gets the HTML::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
+ # Gets the ActionView::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
# Replace with any object that responds to +sanitize+.
#
# class Application < Rails::Application
@@ -168,7 +164,12 @@ module ActionView
# end
#
def white_list_sanitizer
- @white_list_sanitizer ||= HTML::WhiteListSanitizer.new
+ @white_list_sanitizer ||= ActionView::WhiteListSanitizer.new
+ end
+
+
+ def sanitized_protocol_separator=(value)
+ ActionView::WhiteListSanitizer.protocol_separator = value
end
# Adds valid HTML attributes that the +sanitize+ helper checks for URIs.
@@ -178,7 +179,7 @@ module ActionView
# end
#
def sanitized_uri_attributes=(attributes)
- HTML::WhiteListSanitizer.uri_attributes.merge(attributes)
+ ActionView::WhiteListSanitizer.update_uri_attributes(attributes)
end
# Adds to the Set of 'bad' tags for the +sanitize+ helper.
@@ -188,7 +189,7 @@ module ActionView
# end
#
def sanitized_bad_tags=(attributes)
- HTML::WhiteListSanitizer.bad_tags.merge(attributes)
+ ActionView::WhiteListSanitizer.bad_tags = attributes
end
# Adds to the Set of allowed tags for the +sanitize+ helper.
@@ -198,7 +199,7 @@ module ActionView
# end
#
def sanitized_allowed_tags=(attributes)
- HTML::WhiteListSanitizer.allowed_tags.merge(attributes)
+ ActionView::WhiteListSanitizer.update_allowed_tags(attributes)
end
# Adds to the Set of allowed HTML attributes for the +sanitize+ helper.
@@ -208,7 +209,7 @@ module ActionView
# end
#
def sanitized_allowed_attributes=(attributes)
- HTML::WhiteListSanitizer.allowed_attributes.merge(attributes)
+ ActionView::WhiteListSanitizer.update_allowed_attributes(attributes)
end
# Adds to the Set of allowed CSS properties for the #sanitize and +sanitize_css+ helpers.
@@ -218,7 +219,7 @@ module ActionView
# end
#
def sanitized_allowed_css_properties=(attributes)
- HTML::WhiteListSanitizer.allowed_css_properties.merge(attributes)
+ ActionView::WhiteListSanitizer.update_allowed_css_properties(attributes)
end
# Adds to the Set of allowed CSS keywords for the +sanitize+ and +sanitize_css+ helpers.
@@ -228,7 +229,7 @@ module ActionView
# end
#
def sanitized_allowed_css_keywords=(attributes)
- HTML::WhiteListSanitizer.allowed_css_keywords.merge(attributes)
+ ActionView::WhiteListSanitizer.update_allowed_css_keywords(attributes)
end
# Adds to the Set of allowed shorthand CSS properties for the +sanitize+ and +sanitize_css+ helpers.
@@ -238,7 +239,7 @@ module ActionView
# end
#
def sanitized_shorthand_css_properties=(attributes)
- HTML::WhiteListSanitizer.shorthand_css_properties.merge(attributes)
+ ActionView::WhiteListSanitizer.update_shorthand_css_properties(attributes)
end
# Adds to the Set of allowed protocols for the +sanitize+ helper.
@@ -248,7 +249,7 @@ module ActionView
# end
#
def sanitized_allowed_protocols=(attributes)
- HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
+ ActionView::WhiteListSanitizer.update_allowed_protocols(attributes)
end
end
end