diff options
author | Timm <kaspth@gmail.com> | 2013-07-10 16:27:39 +0200 |
---|---|---|
committer | Timm <kaspth@gmail.com> | 2014-06-15 23:39:04 +0200 |
commit | 40bbb4914f7158ec070d7249c527217d95f74f4c (patch) | |
tree | f9aae38ae5b91e268382d576d0440bc606a637c6 /actionview/lib/action_view/helpers/sanitize_helper | |
parent | 68f75b9795f1d9c3fc30f54e035d01d6d687d4fa (diff) | |
download | rails-40bbb4914f7158ec070d7249c527217d95f74f4c.tar.gz rails-40bbb4914f7158ec070d7249c527217d95f74f4c.tar.bz2 rails-40bbb4914f7158ec070d7249c527217d95f74f4c.zip |
Added comment removal. Changed definitation of remove_xpaths to not use a splat operator.
Diffstat (limited to 'actionview/lib/action_view/helpers/sanitize_helper')
-rw-r--r-- | actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb | 35 |
1 files changed, 24 insertions, 11 deletions
diff --git a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb index 187d0ffbfa..eb353d79e2 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb @@ -4,19 +4,32 @@ require 'action_view/helpers/sanitize_helper/permit_scrubber' require 'loofah' module ActionView - - class FullSanitizer + class Sanitizer def sanitize(html, options = {}) - if html - return html if html.empty? - Loofah.fragment(html).text - else - nil + raise NotImplementedError, "subclasses must implement" + end + + def remove_xpaths(html, xpaths) + html = Loofah.fragment(html) unless html.is_a? Nokogiri::XML::DocumentFragment + xpaths.each do |xpath| + html.xpath(xpath).each { |subtree| subtree.remove } end + html.to_s + end + end + + class FullSanitizer < Sanitizer + def sanitize(html, options = {}) + return nil unless html + return html if html.empty? + + fragment = Loofah.fragment(html) + remove_xpaths(fragment, %w{.//script .//form comment()}) + fragment.text end end - class LinkSanitizer + class LinkSanitizer < Sanitizer def initialize @strip_tags = %w(a href) @link_scrubber = Loofah::Scrubber.new do |node| @@ -34,7 +47,7 @@ module ActionView end end - class WhiteListSanitizer + class WhiteListSanitizer < Sanitizer def initialize @permit_scrubber = PermitScrubber.new @@ -49,7 +62,7 @@ module ActionView @permit_scrubber.attributes = options[:attributes] loofah_fragment.scrub!(@permit_scrubber) else - remove_xpaths(loofah_fragment, %w(./script ./form)) + remove_xpaths(loofah_fragment, %w{.//script .//form comment()}) loofah_fragment.scrub!(:strip) end loofah_fragment.to_s @@ -59,7 +72,7 @@ module ActionView Loofah::HTML5::Scrub.scrub_css style_string end - def remove_xpaths(html, *xpaths) + def remove_xpaths(html, xpaths) html = Loofah.fragment(html) unless html.is_a? Nokogiri::XML::DocumentFragment xpaths.each do |xpath| html.xpath(xpath).each { |subtree| subtree.remove } |