Class: Rack::Protection::EscapedParams
- Extended by:
- Utils
- Defined in:
- lib/rack/protection/escaped_params.rb
Overview
- Prevented attack
-
XSS
- Supported browsers
-
all
- More infos
Automatically escapes Rack::Request#params so they can be embedded in HTML or JavaScript without any further issues.
Options:
- escape
-
What escaping modes to use, should be Symbol or Array of Symbols. Available: :html (default), :javascript, :url
Constant Summary
Constants inherited from Base
Instance Attribute Summary
Attributes inherited from Base
Class Method Summary collapse
Instance Method Summary collapse
- #call(env) ⇒ Object
- #escape(object) ⇒ Object
- #escape_hash(hash) ⇒ Object
- #escape_string(str) ⇒ Object
- #handle(hash) ⇒ Object
-
#initialize ⇒ EscapedParams
constructor
A new instance of EscapedParams.
Methods inherited from Base
#accepts?, #debug, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn
Constructor Details
#initialize ⇒ EscapedParams
Returns a new instance of EscapedParams.
36 37 38 39 40 41 42 43 44 45 46 47 48 |
# File 'lib/rack/protection/escaped_params.rb', line 36 def initialize(*) super modes = Array [:escape] @escaper = [:escaper] @html = modes.include? :html @javascript = modes.include? :javascript @url = modes.include? :url return unless @javascript && (!@escaper.respond_to? :escape_javascript) raise('Use EscapeUtils for JavaScript escaping.') end |
Class Method Details
.escape_url ⇒ Object
29 |
# File 'lib/rack/protection/escaped_params.rb', line 29 alias escape_url escape |
Instance Method Details
#call(env) ⇒ Object
50 51 52 53 54 55 56 57 58 59 60 61 62 |
# File 'lib/rack/protection/escaped_params.rb', line 50 def call(env) request = Request.new(env) get_was = handle(request.GET) post_was = begin handle(request.POST) rescue StandardError nil end app.call env ensure request.GET.replace get_was if get_was request.POST.replace post_was if post_was end |
#escape(object) ⇒ Object
70 71 72 73 74 75 76 77 |
# File 'lib/rack/protection/escaped_params.rb', line 70 def escape(object) case object when Hash then escape_hash(object) when Array then object.map { |o| escape(o) } when String then escape_string(object) when Tempfile then object end end |
#escape_hash(hash) ⇒ Object
79 80 81 82 83 |
# File 'lib/rack/protection/escaped_params.rb', line 79 def escape_hash(hash) hash = hash.dup hash.each { |k, v| hash[k] = escape(v) } hash end |
#escape_string(str) ⇒ Object
85 86 87 88 89 90 |
# File 'lib/rack/protection/escaped_params.rb', line 85 def escape_string(str) str = @escaper.escape_url(str) if @url str = @escaper.escape_html(str) if @html str = @escaper.escape_javascript(str) if @javascript str end |
#handle(hash) ⇒ Object
64 65 66 67 68 |
# File 'lib/rack/protection/escaped_params.rb', line 64 def handle(hash) was = hash.dup hash.replace escape(hash) was end |