Module: Amrita2::Util

Included in:

Core::DynamicElement, Core::ErbNode, Core::Template, Filters::Attr::Renderer, Filters::InlineRuby, Filters::MacroFilter, Runtime, Amrita2View::Base

Defined in:

lib/amrita2/template.rb,
lib/amrita2/template.rb

Overview

:nodoc: all

Defined Under Namespace

Modules: OptionSupport Classes: Option, SanitizedString, Tuple

Constant Summary

NAMECHAR =

This module provide methods for avoid XSS vulnerability taken from IPA home page(Japanese) www.ipa.go.jp/security/awareness/vendor/programming/a01_02.html

'[-\w\d\.:]'

NAME =

"([\\w:]#{NAMECHAR}*)"

NOT_REFERENCE =

borrowed from rexml

"(?!#{NAME};|&#\\d+;|&#x[0-9a-fA-F]+;)"

AMP_WITHOUT_REFRENCE =

/&#{NOT_REFERENCE}/

DefaultAllowedScheme =

{
  'http' => true,
  'https' => true,
  'ftp' => true,
  'mailto' => true,
}

UrlInvalidChar =

UrlInvalidChar = Regexp.new(%q||)

Regexp.new(%q|[^;/?:@&=+$,A-Za-z0-9\-_.!~*'()%#]|)

Class Method Summary

• .sanitize_attribute_value(text) ⇒ Object

  escape &<>“‘.

• .sanitize_text(text) ⇒ Object

  escape &<>.

• .sanitize_url(text, allowd_scheme = DefaultAllowedScheme) ⇒ Object

  sanitize_url accepts only these characters — www.ietf.org/rfc/rfc2396.txt — uric = reserved | unreserved | escaped reserved = “;” | “/” | “?” | “:” | “@” | “&” | “=” | “+” | “$” | “,” unreserved = alphanum | mark mark = “-” | “_” | “.” | “!” | “~” | “*” | “‘” | “(” | “)” escaped = “%” hex hex.

Class Method Details

.sanitize_attribute_value(text) ⇒ Object

escape &<>“‘

# File 'lib/amrita2/template.rb', line 205

def self.sanitize_attribute_value(text)
  return nil unless text
  s = text.dup
  s.gsub!(AMP_WITHOUT_REFRENCE, '&')
  s.gsub!("<", '&lt;')
  s.gsub!(">", '&gt;')
  s.gsub!('"', '&quot;')
  #s.gsub!("'", '&#39;')
  s
end

.sanitize_text(text) ⇒ Object

escape &<>

# File 'lib/amrita2/template.rb', line 195

def self.sanitize_text(text)
  return nil unless text
  s = text.dup
  s.gsub!(AMP_WITHOUT_REFRENCE, '&')
  s.gsub!("<", '&lt;')
  s.gsub!(">", '&gt;')
  s
end

.sanitize_url(text, allowd_scheme = DefaultAllowedScheme) ⇒ Object

sanitize_url accepts only these characters

--- http://www.ietf.org/rfc/rfc2396.txt ---
uric = reserved | unreserved | escaped
reserved = ";" | "/" | "?" | ":" | "@" | "&" | "=" | "+" | "$" | ","
unreserved = alphanum | mark
mark = "-" | "_" | "." | "!" | "~" | "*" | "'" | "(" | ")"
escaped = "%" hex hex

sanitize_url accepts only schems specified by allowd_scheme

The default is http: https: ftp: mailt:

# File 'lib/amrita2/template.rb', line 238

def self.sanitize_url(text, allowd_scheme = DefaultAllowedScheme)
  # return nil if text has characters not allowd for URL

  return nil if text =~ UrlInvalidChar

  # return '' if text has an unknown scheme
  # --- http://www.ietf.org/rfc/rfc2396.txt ---
  # scheme = alpha *( alpha | digit | "+" | "-" | "." )

  if text =~ %r|^([A-Za-z][A-Za-z0-9+\-.]*):|
      return nil unless allowd_scheme[$1]
  end

  # escape HTML
  # special = "&" | "<" | ">" | '"' | "'"
  # But I checked  "<" | ">" | '"' before.
  s = text.dup
  #s.gsub!("&", '&amp;')
  s.gsub!("'", '&#39;')

  s
end