Class: Rack::Protection::EscapedParams
- Extended by:
- Utils
- Defined in:
- lib/rack/protection/escaped_params.rb
Overview
- Prevented attack
-
XSS
- Supported browsers
-
all
- More infos
Automatically escapes Rack::Request#params so they can be embedded in HTML or JavaScript without any further issues. Calls html_safe
on the escaped strings if defined, to avoid double-escaping in Rails.
Options:
- escape
-
What escaping modes to use, should be Symbol or Array of Symbols. Available: :html (default), :javascript, :url
Constant Summary
Constants inherited from Base
Instance Attribute Summary
Attributes inherited from Base
Class Method Summary collapse
Instance Method Summary collapse
- #call(env) ⇒ Object
- #escape(object) ⇒ Object
- #escape_hash(hash) ⇒ Object
- #escape_string(str) ⇒ Object
- #handle(hash) ⇒ Object
-
#initialize ⇒ EscapedParams
constructor
A new instance of EscapedParams.
Methods inherited from Base
#accepts?, #bytesize, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn
Constructor Details
#initialize ⇒ EscapedParams
Returns a new instance of EscapedParams.
34 35 36 37 38 39 40 41 42 43 44 45 46 |
# File 'lib/rack/protection/escaped_params.rb', line 34 def initialize(*) super modes = Array [:escape] @escaper = [:escaper] @html = modes.include? :html @javascript = modes.include? :javascript @url = modes.include? :url if @javascript and not @escaper.respond_to? :escape_javascript fail("Use EscapeUtils for JavaScript escaping.") end end |
Class Method Details
.escape_url ⇒ Object
27 |
# File 'lib/rack/protection/escaped_params.rb', line 27 alias escape_url escape |
Instance Method Details
#call(env) ⇒ Object
48 49 50 51 52 53 54 55 56 |
# File 'lib/rack/protection/escaped_params.rb', line 48 def call(env) request = Request.new(env) get_was = handle(request.GET) post_was = handle(request.POST) rescue nil app.call env ensure request.GET.replace get_was if get_was request.POST.replace post_was if post_was end |
#escape(object) ⇒ Object
64 65 66 67 68 69 70 71 |
# File 'lib/rack/protection/escaped_params.rb', line 64 def escape(object) case object when Hash then escape_hash(object) when Array then object.map { |o| escape(o) } when String then escape_string(object) else nil end end |
#escape_hash(hash) ⇒ Object
73 74 75 76 77 |
# File 'lib/rack/protection/escaped_params.rb', line 73 def escape_hash(hash) hash = hash.dup hash.each { |k,v| hash[k] = escape(v) } hash end |
#escape_string(str) ⇒ Object
79 80 81 82 83 84 |
# File 'lib/rack/protection/escaped_params.rb', line 79 def escape_string(str) str = @escaper.escape_url(str) if @url str = @escaper.escape_html(str) if @html str = @escaper.escape_javascript(str) if @javascript str end |
#handle(hash) ⇒ Object
58 59 60 61 62 |
# File 'lib/rack/protection/escaped_params.rb', line 58 def handle(hash) was = hash.dup hash.replace escape(hash) was end |