diff options
| author | Timm <kaspth@gmail.com> | 2013-08-09 23:18:37 +0200 |
|---|---|---|
| committer | Timm <kaspth@gmail.com> | 2014-06-16 21:04:03 +0200 |
| commit | 1cdc511b90eee7351f21359c32c6d13385846dbd (patch) | |
| tree | 356c4e8b757b2f800194fb0841a2d43fb1c74ef8 /actionview/lib/action_view | |
| parent | 739ecdf753d35ba40e238aedec666bc5eeafb2cc (diff) | |
| download | rails-1cdc511b90eee7351f21359c32c6d13385846dbd.tar.gz rails-1cdc511b90eee7351f21359c32c6d13385846dbd.tar.bz2 rails-1cdc511b90eee7351f21359c32c6d13385846dbd.zip | |
Added LinkScrubber to remove duplication in LinkSanitizer. As such made PermitScrubber easier to subclass.
Diffstat (limited to 'actionview/lib/action_view')
| -rw-r--r-- | actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb | 12 | ||||
| -rw-r--r-- | actionview/lib/action_view/helpers/sanitize_helper/scrubbers.rb (renamed from actionview/lib/action_view/helpers/sanitize_helper/permit_scrubber.rb) | 21 |
2 files changed, 22 insertions, 11 deletions
diff --git a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb index 3ba46ccaa9..905fa38446 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb @@ -1,6 +1,6 @@ require 'active_support/core_ext/class/attribute' require 'active_support/deprecation' -require 'action_view/helpers/sanitize_helper/permit_scrubber' +require 'action_view/helpers/sanitize_helper/scrubbers' module ActionView XPATHS_TO_REMOVE = %w{.//script .//form comment()} @@ -34,15 +34,7 @@ module ActionView class LinkSanitizer < Sanitizer def initialize - @strip_tags = %w(a href) - @link_scrubber = Loofah::Scrubber.new do |node| - if @strip_tags.include?(node.name) - node.before node.children - node.remove - else - Loofah::HTML5::Scrub.scrub_attributes(node) - end - end + @link_scrubber = LinkScrubber.new end def sanitize(html, options = {}) diff --git a/actionview/lib/action_view/helpers/sanitize_helper/permit_scrubber.rb b/actionview/lib/action_view/helpers/sanitize_helper/scrubbers.rb index 60c74ed35e..2dfe82efab 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper/permit_scrubber.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper/scrubbers.rb @@ -11,6 +11,9 @@ # +attributes=+ # Contain an elements allowed attributes. # If none is set HTML5::Scrub.scrub_attributes implementation will be used. +# +# Subclass PermitScrubber to provide your own definition of +# when a node is allowed and how attributes should be scrubbed. class PermitScrubber < Loofah::Scrubber # :nodoc: attr_reader :tags, :attributes @@ -24,7 +27,7 @@ class PermitScrubber < Loofah::Scrubber end def scrub(node) - return CONTINUE if text_or_cdata_node?(node) + return CONTINUE if should_skip_node?(node) unless allowed_node?(node) node.before node.children # strip @@ -55,6 +58,10 @@ class PermitScrubber < Loofah::Scrubber end end + def should_skip_node?(node) + text_or_cdata_node?(node) + end + def text_or_cdata_node?(node) case node.type when Nokogiri::XML::Node::TEXT_NODE, Nokogiri::XML::Node::CDATA_SECTION_NODE @@ -70,3 +77,15 @@ class PermitScrubber < Loofah::Scrubber var end end + +# LinkScrubber overrides PermitScrubbers +allowed_node?+ to any nodes +# which names aren't a or href +class LinkScrubber < PermitScrubber + def initialize + @strip_tags = %w(a href) + end + + def allowed_node?(node) + !@strip_tags.include?(node.name) + end +end |