Module: Dandruff::Expressions Private

Defined in:

lib/dandruff/expressions.rb

Overview

This module is part of a private API. You should avoid using this module if possible, as it may be removed or be changed in the future.

Regular expressions for attribute matching and content validation

This module contains regular expressions used throughout Dandruff for validating attributes, detecting template expressions, and checking URI protocols. These patterns are critical for security and should not be modified without careful consideration.

Constant Summary

DATA_ATTR =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Matches HTML5 data attributes (data-*)

Validates attribute names that follow the data attribute specification. Data attributes must start with ‘data-’ followed by one or more word characters or hyphens.

Examples:

Matching data attributes

'data-user-id' =~ Expressions::DATA_ATTR   # matches
'data-toggle' =~ Expressions::DATA_ATTR    # matches
'data' =~ Expressions::DATA_ATTR           # does not match
'data-' =~ Expressions::DATA_ATTR          # does not match

/^data-[\w-]+$/

ARIA_ATTR =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Matches ARIA accessibility attributes (aria-*)

Validates attribute names that follow the ARIA specification. ARIA attributes must start with ‘aria-’ followed by one or more word characters or hyphens.

Examples:

Matching aria attributes

'aria-label' =~ Expressions::ARIA_ATTR      # matches
'aria-hidden' =~ Expressions::ARIA_ATTR     # matches
'aria' =~ Expressions::ARIA_ATTR            # does not match

/^aria-[\w-]+$/

MUSTACHE_EXPR =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Matches Mustache/Handlebars template expressions

Detects template expressions in the format ‘expression }`. Used when safe_for_templates is enabled to prevent template injection attacks.

Examples:

Matching mustache expressions

'{{ user.name }}' =~ Expressions::MUSTACHE_EXPR    # matches
'{{value}}' =~ Expressions::MUSTACHE_EXPR          # matches

See Also:

• Config#safe_for_templates

/\{\{[^}]+\}\}/

ERB_EXPR =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Matches ERB (Embedded Ruby) template expressions

Detects ERB expressions in the format ‘<% expression %>`, `<%= expression %>`, or `<%- expression %>`. Used when safe_for_templates is enabled.

Examples:

Matching ERB expressions

'<%= user.name %>' =~ Expressions::ERB_EXPR    # matches
'<% if admin? %>' =~ Expressions::ERB_EXPR     # matches
'<%- value -%>' =~ Expressions::ERB_EXPR       # matches

See Also:

• Config#safe_for_templates

/<%[=-]?[^%]+%>/

TMPLIT_EXPR =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Matches JavaScript template literal expressions

Detects template expressions in the format ‘${ expression }`. Used when safe_for_templates is enabled to prevent template injection.

Examples:

Matching template literals

'${user.name}' =~ Expressions::TMPLIT_EXPR    # matches
'${value}' =~ Expressions::TMPLIT_EXPR        # matches

See Also:

• Config#safe_for_templates

/\$\{[^}]+\}/

IS_ALLOWED_URI =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Validates allowed URI protocols and relative URLs

This is the default URI validation pattern matching DOMPurify’s behavior. Allows: http, https, mailto, ftp, tel protocols and relative URLs. Blocks: javascript, data, vbscript, and other dangerous protocols.

**Allowed protocols:** http, https, mailto, ftp, tel, relative URLs (/, ./, ../) **Blocked protocols:** javascript, vbscript, data (unless explicitly enabled)

Examples:

Valid URIs

'https://example.com' =~ Expressions::IS_ALLOWED_URI    # matches
'mailto:user@example.com' =~ Expressions::IS_ALLOWED_URI # matches
'/path/to/page' =~ Expressions::IS_ALLOWED_URI         # matches
'javascript:alert(1)' =~ Expressions::IS_ALLOWED_URI   # does not match

See Also:

• Custom URI pattern override

/^(?:(?:https?|mailto|ftp|tel):|[^a-z]|[a-z+.-]+(?:[^a-z+.-:]|$))/i

IS_SCRIPT_OR_DATA =

This constant is part of a private API. You should avoid using this constant if possible, as it may be removed or be changed in the future.

Detects dangerous JavaScript and data:text/html URIs

Matches URIs that start with javascript: or data:text/html protocols, which are common XSS attack vectors. These are always blocked regardless of other configuration. Whitespace before the protocol is also detected.

Examples:

Dangerous URIs

'javascript:alert(1)' =~ Expressions::IS_SCRIPT_OR_DATA      # matches
'  javascript:void(0)' =~ Expressions::IS_SCRIPT_OR_DATA     # matches (whitespace)
'data:text/html,<script>' =~ Expressions::IS_SCRIPT_OR_DATA # matches
'data:image/png;base64' =~ Expressions::IS_SCRIPT_OR_DATA   # does not match

%r{^(?:\s*javascript:|\s*data:text/html)}i