Module: Sanitize::Rails::Engine

Extended by:

Engine

Included in:

Engine

Defined in:

lib/sanitize/rails/engine.rb

Instance Method Summary

• #callback_for(options) ⇒ Object

  :nodoc:.

• #clean(string) ⇒ Object

  Returns a copy of the given ‘string` after sanitizing it and marking it as `html_safe`.

• #clean!(string) ⇒ Object

  Sanitizes the given ‘string` in place and does NOT mark it as `html_safe`.

• #cleaner ⇒ Object

  Returns a memoized instance of the Engine with the configuration passed to the configure method or with the ActionView’s default config.

• #configure(config) ⇒ Object
• #method_for(fields) ⇒ Object

  :nodoc:.

Instance Method Details

#callback_for(options) ⇒ Object

:nodoc:

# File 'lib/sanitize/rails/engine.rb', line 45

def callback_for(options) #:nodoc:
  point = (options[:on] || 'save').to_s

  unless %w( save create ).include?(point)
    raise ArgumentError, "Invalid callback point #{point}, valid ones are :save and :create"
  end

  "before_#{point}".intern
end

#clean(string) ⇒ Object

Returns a copy of the given ‘string` after sanitizing it and marking it as `html_safe`

Ensuring this methods return instances of ActiveSupport::SafeBuffer means that text passed through ‘Sanitize::Rails::Engine.clean` will not be escaped by ActionView’s XSS filtering utilities.

# File 'lib/sanitize/rails/engine.rb', line 34

def clean(string)
  ::ActiveSupport::SafeBuffer.new cleaner.fragment(string)
end

#clean!(string) ⇒ Object

Sanitizes the given ‘string` in place and does NOT mark it as `html_safe`

# File 'lib/sanitize/rails/engine.rb', line 40

def clean!(string)
  return '' if string.nil?
  string.replace cleaner.fragment(string)
end

#cleaner ⇒ Object

Returns a memoized instance of the Engine with the configuration passed to the configure method or with the ActionView’s default config

# File 'lib/sanitize/rails/engine.rb', line 14

def cleaner
  @@config ||= begin
    {
      :elements   => ::ActionView::Base.sanitized_allowed_tags.to_a,
      :attributes => { :all => ::ActionView::Base.sanitized_allowed_attributes.to_a},
      :protocols  => { :all => ::ActionView::Base.sanitized_allowed_protocols.to_a }
    }
  rescue
    warn "ActionView not available, falling back to Sanitize's BASIC config"
    ::Sanitize::Config::BASIC
  end
  @sanitizer ||= ::Sanitize.new(@@config)
end

#configure(config) ⇒ Object

# File 'lib/sanitize/rails/engine.rb', line 6

def configure(config)
  @@config = config.freeze
end

#method_for(fields) ⇒ Object

:nodoc:

# File 'lib/sanitize/rails/engine.rb', line 55

def method_for(fields) #:nodoc:
  "sanitize_#{fields.join('_')}".intern
end