Class: Rack::Protection::EscapedParams

Inherits:

Base

• Object
• Base
• Rack::Protection::EscapedParams

Extended by:

Utils

Defined in:

lib/rubypitaya/app-template/vendor/bundle/ruby/3.1.0/gems/rack-protection-3.0.5/lib/rack/protection/escaped_params.rb

Overview

Prevented attack

XSS

Supported browsers

all

More infos

en.wikipedia.org/wiki/Cross-site_scripting

Automatically escapes Rack::Request#params so they can be embedded in HTML or JavaScript without any further issues.

Options:

escape

What escaping modes to use, should be Symbol or Array of Symbols. Available: :html (default), :javascript, :url

Constant Summary

Constants included from Utils

Utils::COMMON_SEP, Utils::DEFAULT_SEP, Utils::ESCAPE_HTML, Utils::ESCAPE_HTML_PATTERN, Utils::HTTP_STATUS_CODES, Utils::InvalidParameterError, Utils::KeySpaceConstrainedParams, Utils::NULL_BYTE, Utils::PATH_SEPS, Utils::ParameterTypeError, Utils::RFC2822_DAY_NAME, Utils::RFC2822_MONTH_NAME, Utils::STATUS_WITH_NO_ENTITY_BODY, Utils::SYMBOL_TO_STATUS_CODE

Constants inherited from Base

Base::DEFAULT_OPTIONS

Instance Attribute Summary

Attributes inherited from Base

#app, #options

Class Method Summary

• .escape_url ⇒ Object

Instance Method Summary

• #call(env) ⇒ Object
• #escape(object) ⇒ Object
• #escape_hash(hash) ⇒ Object
• #escape_string(str) ⇒ Object
• #handle(hash) ⇒ Object
• #initialize ⇒ EscapedParams constructor

  A new instance of EscapedParams.

Methods included from Utils

add_cookie_to_header, add_remove_cookie_to_header, best_q_match, build_nested_query, build_query, byte_ranges, clean_path_info, clock_time, delete_cookie_header!, escape, escape_html, escape_path, get_byte_ranges, key_space_limit, key_space_limit=, make_delete_cookie_header, param_depth_limit, param_depth_limit=, parse_cookies, parse_cookies_header, parse_nested_query, parse_query, q_values, rfc2109, rfc2822, secure_compare, select_best_encoding, set_cookie_header!, status_code, unescape, unescape_path, valid_path?

Methods inherited from Base

#accepts?, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer, #report, #safe?, #secure_compare, #session, #session?, #warn

Constructor Details

#initialize ⇒ EscapedParams

Returns a new instance of EscapedParams.

# File 'lib/rubypitaya/app-template/vendor/bundle/ruby/3.1.0/gems/rack-protection-3.0.5/lib/rack/protection/escaped_params.rb', line 36

def initialize(*)
  super

  modes       = Array options[:escape]
  @escaper    = options[:escaper]
  @html       = modes.include? :html
  @javascript = modes.include? :javascript
  @url        = modes.include? :url

  return unless @javascript && (!@escaper.respond_to? :escape_javascript)

  raise('Use EscapeUtils for JavaScript escaping.')
end

Class Method Details

.escape_url ⇒ Object

# File 'lib/rubypitaya/app-template/vendor/bundle/ruby/3.1.0/gems/rack-protection-3.0.5/lib/rack/protection/escaped_params.rb', line 29

alias escape_url escape

Instance Method Details

#call(env) ⇒ Object

# File 'lib/rubypitaya/app-template/vendor/bundle/ruby/3.1.0/gems/rack-protection-3.0.5/lib/rack/protection/escaped_params.rb', line 50

def call(env)
  request  = Request.new(env)
  get_was  = handle(request.GET)
  post_was = begin
    handle(request.POST)
  rescue StandardError
    nil
  end
  app.call env
ensure
  request.GET.replace  get_was  if get_was
  request.POST.replace post_was if post_was
end

#escape(object) ⇒ Object

# File 'lib/rubypitaya/app-template/vendor/bundle/ruby/3.1.0/gems/rack-protection-3.0.5/lib/rack/protection/escaped_params.rb', line 70

def escape(object)
  case object
  when Hash   then escape_hash(object)
  when Array  then object.map { |o| escape(o) }
  when String then escape_string(object)
  when Tempfile then object
  end
end

#escape_hash(hash) ⇒ Object

# File 'lib/rubypitaya/app-template/vendor/bundle/ruby/3.1.0/gems/rack-protection-3.0.5/lib/rack/protection/escaped_params.rb', line 79

def escape_hash(hash)
  hash = hash.dup
  hash.each { |k, v| hash[k] = escape(v) }
  hash
end

#escape_string(str) ⇒ Object

# File 'lib/rubypitaya/app-template/vendor/bundle/ruby/3.1.0/gems/rack-protection-3.0.5/lib/rack/protection/escaped_params.rb', line 85

def escape_string(str)
  str = @escaper.escape_url(str)        if @url
  str = @escaper.escape_html(str)       if @html
  str = @escaper.escape_javascript(str) if @javascript
  str
end

#handle(hash) ⇒ Object

# File 'lib/rubypitaya/app-template/vendor/bundle/ruby/3.1.0/gems/rack-protection-3.0.5/lib/rack/protection/escaped_params.rb', line 64

def handle(hash)
  was = hash.dup
  hash.replace escape(hash)
  was
end