Class: HTML::WhiteListSanitizer
- Defined in:
- lib/action_controller/vendor/html-scanner/html/sanitizer.rb
Instance Method Summary collapse
-
#sanitize_css(style) ⇒ Object
Sanitizes a block of css code.
Methods inherited from Sanitizer
Instance Method Details
#sanitize_css(style) ⇒ Object
Sanitizes a block of css code. Used by #sanitize when it comes across a style attribute
104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 |
# File 'lib/action_controller/vendor/html-scanner/html/sanitizer.rb', line 104 def sanitize_css(style) # disallow urls style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ') # gauntlet if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ || style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/ return '' end clean = [] style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val| if allowed_css_properties.include?(prop.downcase) clean << prop + ': ' + val + ';' elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) unless val.split().any? do |keyword| !allowed_css_keywords.include?(keyword) && keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/ end clean << prop + ': ' + val + ';' end end end clean.join(' ') end |