Class: Ape::SanitizationValidator

Inherits:
Validator
  • Object
show all
Defined in:
lib/ape/validators/sanitization_validator.rb

Instance Attribute Summary

Attributes inherited from Validator

#authent, #reporter

Instance Method Summary collapse

Methods inherited from Validator

custom_validators, instance

Methods included from Util

extended, included

Methods included from ValidatorDsl

included

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class Ape::Validator

Instance Method Details

#validate(opts = {}) ⇒ Object 



6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 
# File 'lib/ape/validators/sanitization_validator.rb', line 6

def validate(opts = {})
  reporter.info(self, "TESTING: Content sanitization")
  coll = opts[:entry_collection]
  
  poster = Poster.new(coll.href, @authent)
  name = 'Posting unclean XHTML'
  worked = poster.post(Names::AtomEntryMediaType, Samples.unclean_xhtml_entry)
  if !worked
    reporter.save_dialog(name, poster)
    reporter.error(self, "Can't POST unclean XHTML: #{poster.last_error}", name)
    return
  end
  
  location = poster.header('Location')
  name = "Retrieval of unclean XHTML entry"
  entry = check_resource(location, name, Names::AtomMediaType)
  return unless entry

  begin
    entry = Entry.new(:text => entry.body, :uri => location)
  rescue REXML::ParseException
    prob = $!.to_s.gsub(/\n/, '<br/>')
    reporter.error(self, "New entry is not well-formed: #{prob}")
    return
  end

  no_problem = true
  patterns = {
    '//xhtml:script' => "Published entry retains xhtml:script element.",
    '//*[@background]' => "Published entry retains 'background' attribute.",
    '//*[@style]' => "Published entry retains 'style' attribute.",
    
  }
  patterns.each { |xp, message| 
    reporter.warning(self, message) unless entry.xpath_match(xp).empty?
  }
  
  entry.xpath_match('//xhtml:a').each do |a|
    if a.attributes['href'] =~ /^([a-zA-Z]+):/
      if $1 != 'http'
        no_problem = false
        reporter.warning(self, "Published entry retains dangerous hyperlink: '#{a.attributes['href']}'.")
      end
    end
  end    

  delete_entry(entry)
  
  reporter.success(self, "Published entry appears to be sanitized.") if no_problem
end