diff options
| author | Timm <kaspth@gmail.com> | 2013-08-09 23:38:14 +0200 |
|---|---|---|
| committer | Timm <kaspth@gmail.com> | 2014-06-16 21:04:03 +0200 |
| commit | ac0d778fe973d8eb63fe8ef2af82a165d94b432a (patch) | |
| tree | e0904d69a78cbfa9fd0020f4c21c8be003a352ee /actionview | |
| parent | 1cdc511b90eee7351f21359c32c6d13385846dbd (diff) | |
| download | rails-ac0d778fe973d8eb63fe8ef2af82a165d94b432a.tar.gz rails-ac0d778fe973d8eb63fe8ef2af82a165d94b432a.tar.bz2 rails-ac0d778fe973d8eb63fe8ef2af82a165d94b432a.zip | |
Already killed off LinkScrubber. Changed it instead to be TargetScrubber, which is more general, while still allowing maximum code reuse.
Diffstat (limited to 'actionview')
| -rw-r--r-- | actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb | 3 | ||||
| -rw-r--r-- | actionview/lib/action_view/helpers/sanitize_helper/scrubbers.rb | 26 |
2 files changed, 20 insertions, 9 deletions
diff --git a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb index 905fa38446..c6bbf5e3f7 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb @@ -34,7 +34,8 @@ module ActionView class LinkSanitizer < Sanitizer def initialize - @link_scrubber = LinkScrubber.new + @link_scrubber = TargetScrubber.new + @link_scrubber.tags = %w(a href) end def sanitize(html, options = {}) diff --git a/actionview/lib/action_view/helpers/sanitize_helper/scrubbers.rb b/actionview/lib/action_view/helpers/sanitize_helper/scrubbers.rb index 2dfe82efab..4751d84688 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper/scrubbers.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper/scrubbers.rb @@ -51,7 +51,7 @@ class PermitScrubber < Loofah::Scrubber def scrub_attributes(node) if @attributes node.attributes.each do |name, _| - node.remove_attribute(name) unless @attributes.include?(name) + node.remove_attribute(name) if should_remove_attributes?(name) end else Loofah::HTML5::Scrub.scrub_attributes(node) @@ -62,6 +62,10 @@ class PermitScrubber < Loofah::Scrubber text_or_cdata_node?(node) end + def should_remove_attributes?(name) + @attributes.exclude?(name) + end + def text_or_cdata_node?(node) case node.type when Nokogiri::XML::Node::TEXT_NODE, Nokogiri::XML::Node::CDATA_SECTION_NODE @@ -78,14 +82,20 @@ class PermitScrubber < Loofah::Scrubber end end -# LinkScrubber overrides PermitScrubbers +allowed_node?+ to any nodes -# which names aren't a or href -class LinkScrubber < PermitScrubber - def initialize - @strip_tags = %w(a href) +# TargetScrubber - The bizarro PermitScrubber +# +# With PermitScrubber you choose elements you don't want removed, +# with TargetScrubber you choose want you want gone. +# +# +tags=+ and +attributes=+ has the same behavior as PermitScrubber +# except they select what to get rid of. +class TargetScrubber < PermitScrubber + def allowed_node?(node) + return super unless @tags + @tags.exclude?(node.name) end - def allowed_node?(node) - !@strip_tags.include?(node.name) + def should_remove_attributes?(name) + @attributes.include?(name) end end |