Class: Gitlab::Sanitizers::SVG::Scrubber
- Inherits:
-
Loofah::Scrubber
- Object
- Loofah::Scrubber
- Gitlab::Sanitizers::SVG::Scrubber
- Defined in:
- lib/gitlab/sanitizers/svg.rb
Constant Summary collapse
- DATA_ATTR_PATTERN =
/\Adata-(?!xml)[a-z_][\w.\u00E0-\u00F6\u00F8-\u017F\u01DD-\u02AF-]*\z/u
Instance Method Summary collapse
- #allows_data_attribute?(node) ⇒ Boolean
- #attribute_name_with_namespace(attr) ⇒ Object
- #data_attribute?(attr) ⇒ Boolean
- #scrub(node) ⇒ Object
- #unsafe_href?(attr) ⇒ Boolean
Instance Method Details
#allows_data_attribute?(node) ⇒ Boolean
45 46 47 |
# File 'lib/gitlab/sanitizers/svg.rb', line 45 def allows_data_attribute?(node) Whitelist::ALLOWED_DATA_ATTRIBUTES_IN_ELEMENTS.include?(node.name) end |
#attribute_name_with_namespace(attr) ⇒ Object
37 38 39 40 41 42 43 |
# File 'lib/gitlab/sanitizers/svg.rb', line 37 def attribute_name_with_namespace(attr) if attr.namespace "#{attr.namespace.prefix}:#{attr.name}" else attr.name end end |
#data_attribute?(attr) ⇒ Boolean
53 54 55 |
# File 'lib/gitlab/sanitizers/svg.rb', line 53 def data_attribute?(attr) attr.name.start_with?('data-') && attr.name =~ DATA_ATTR_PATTERN && attr.namespace.nil? end |
#scrub(node) ⇒ Object
14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
# File 'lib/gitlab/sanitizers/svg.rb', line 14 def scrub(node) unless Whitelist::ALLOWED_ELEMENTS.include?(node.name) node.unlink return end valid_attributes = Whitelist::ALLOWED_ATTRIBUTES[node.name] return unless valid_attributes node.attribute_nodes.each do |attr| attr_name = attribute_name_with_namespace(attr) if valid_attributes.include?(attr_name) attr.unlink if unsafe_href?(attr) else # Arbitrary data attributes are allowed. unless allows_data_attribute?(node) && data_attribute?(attr) attr.unlink end end end end |
#unsafe_href?(attr) ⇒ Boolean
49 50 51 |
# File 'lib/gitlab/sanitizers/svg.rb', line 49 def unsafe_href?(attr) attribute_name_with_namespace(attr) == 'xlink:href' && !attr.value.start_with?('#') end |