Class: HTML::WhiteListSanitizer
- Defined in:
- actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb
Instance Method Summary collapse
-
#sanitize_css(style) ⇒ Object
Sanitizes a block of css code.
Methods inherited from Sanitizer
Instance Method Details
#sanitize_css(style) ⇒ Object
Sanitizes a block of css code. Used by #sanitize when it comes across a style attribute
119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 |
# File 'actionview/lib/action_view/vendor/html-scanner/html/sanitizer.rb', line 119 def sanitize_css(style) # disallow urls style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ') # gauntlet if style !~ /\A([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*\z/ || style !~ /\A(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*\z/ return '' end clean = [] style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val| if allowed_css_properties.include?(prop.downcase) clean << prop + ': ' + val + ';' elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) unless val.split().any? do |keyword| !allowed_css_keywords.include?(keyword) && keyword !~ /\A(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)\z/ end clean << prop + ': ' + val + ';' end end end clean.join(' ') end |