diff options
Diffstat (limited to 'actionview/lib/action_view/helpers')
-rw-r--r-- | actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb | 3 | ||||
-rw-r--r-- | actionview/lib/action_view/helpers/sanitize_helper/scrubbers.rb | 26 |
2 files changed, 20 insertions, 9 deletions
diff --git a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb index 905fa38446..c6bbf5e3f7 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb @@ -34,7 +34,8 @@ module ActionView class LinkSanitizer < Sanitizer def initialize - @link_scrubber = LinkScrubber.new + @link_scrubber = TargetScrubber.new + @link_scrubber.tags = %w(a href) end def sanitize(html, options = {}) diff --git a/actionview/lib/action_view/helpers/sanitize_helper/scrubbers.rb b/actionview/lib/action_view/helpers/sanitize_helper/scrubbers.rb index 2dfe82efab..4751d84688 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper/scrubbers.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper/scrubbers.rb @@ -51,7 +51,7 @@ class PermitScrubber < Loofah::Scrubber def scrub_attributes(node) if @attributes node.attributes.each do |name, _| - node.remove_attribute(name) unless @attributes.include?(name) + node.remove_attribute(name) if should_remove_attributes?(name) end else Loofah::HTML5::Scrub.scrub_attributes(node) @@ -62,6 +62,10 @@ class PermitScrubber < Loofah::Scrubber text_or_cdata_node?(node) end + def should_remove_attributes?(name) + @attributes.exclude?(name) + end + def text_or_cdata_node?(node) case node.type when Nokogiri::XML::Node::TEXT_NODE, Nokogiri::XML::Node::CDATA_SECTION_NODE @@ -78,14 +82,20 @@ class PermitScrubber < Loofah::Scrubber end end -# LinkScrubber overrides PermitScrubbers +allowed_node?+ to any nodes -# which names aren't a or href -class LinkScrubber < PermitScrubber - def initialize - @strip_tags = %w(a href) +# TargetScrubber - The bizarro PermitScrubber +# +# With PermitScrubber you choose elements you don't want removed, +# with TargetScrubber you choose want you want gone. +# +# +tags=+ and +attributes=+ has the same behavior as PermitScrubber +# except they select what to get rid of. +class TargetScrubber < PermitScrubber + def allowed_node?(node) + return super unless @tags + @tags.exclude?(node.name) end - def allowed_node?(node) - !@strip_tags.include?(node.name) + def should_remove_attributes?(name) + @attributes.include?(name) end end |