Class: String

Inherits:

Object

Object
String

show all

Defined in:: lib/nitro/sanitize.rb

Direct Known Subclasses

Nitro::OutputBuffer

Class Method Summary collapse

.sanitize(html) ⇒ Object

Sanitizes the given HTML by making form and script tags into regular text, and removing all “onxxx” attributes (so that arbitrary Javascript cannot be executed).

Class Method Details

.sanitize(html) ⇒ `Object`

Sanitizes the given HTML by making form and script tags into regular text, and removing all “onxxx” attributes (so that arbitrary Javascript cannot be executed). Also removes href attributes that start with “javascript:”.

Returns the sanitized text.

# File 'lib/nitro/sanitize.rb', line 17

def self.sanitize(html)
  # only do this if absolutely necessary
  if html.index("<")
    tokenizer = HTML::Tokenizer.new(html)
    new_text = ""

    while token = tokenizer.next
      node = HTML::Node.parse(nil, 0, 0, token, false)
      new_text << case node
        when HTML::Tag
          if VERBOTEN_TAGS.include?(node.name)
            node.to_s.gsub(/</, "&lt;")
          else
            if node.closing != :close
              node.attributes.delete_if { |attr,v| attr =~ VERBOTEN_ATTRS }
              if node.attributes["href"] =~ /^javascript:/i
                node.attributes.delete "href"
              end
            end
            node.to_s
          end
        else
          node.to_s.gsub(/</, "&lt;")
      end
    end

    html = new_text
  end

  html
end

Class: String

Direct Known Subclasses

Class Method Summary collapse

Class Method Details

.sanitize(html) ⇒ Object

.sanitize(html) ⇒ `Object`