Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
张重言
rails
提交
2622da17
R
rails
项目概览
张重言
/
rails
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
rails
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
2622da17
编写于
7月 02, 2013
作者:
T
Timm
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Added PermitScrubber which allows you to permit elements for sanitization.
上级
d4d13925
变更
2
隐藏空白更改
内联
并排
Showing
2 changed file
with
85 addition
and
13 deletion
+85
-13
actionview/lib/action_view/helpers/sanitize_helper/permit_scrubber.rb
...ib/action_view/helpers/sanitize_helper/permit_scrubber.rb
+71
-0
actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb
...iew/lib/action_view/helpers/sanitize_helper/sanitizers.rb
+14
-13
未找到文件。
actionview/lib/action_view/helpers/sanitize_helper/permit_scrubber.rb
0 → 100644
浏览文件 @
2622da17
# === PermitScrubber
#
# PermitScrubber allows you to permit only your own tags and/or attributes.
#
# Supplied tags and attributes should be Enumerables
#
# +tags=+
# If this value is set all other elements will be stripped (their inner elements will be kept).
# If not set elements for which HTML5::Scrub.allowed_element? is false will be stripped.
#
# +attributes=+
# Contain an elements allowed attributes.
# If none is set HTML5::Scrub.scrub_attributes implementation will be used.
class
PermitScrubber
<
Loofah
::
Scrubber
attr_reader
:tags
,
:attributes
def
tags
=
(
tags
)
@tags
=
validate!
(
tags
,
:tags
)
end
def
attributes
=
(
attributes
)
@attributes
=
validate!
(
attributes
,
:attributes
)
end
def
scrub
(
node
)
return
CONTINUE
if
text_or_cdata_node?
(
node
)
unless
allowed_node?
(
node
)
node
.
before
node
.
children
# strip
node
.
remove
return
STOP
end
scrub_attributes
(
node
)
end
protected
def
allowed_node?
(
node
)
if
@tags
@tags
.
include?
(
node
.
name
)
else
Loofah
::
HTML5
::
Scrub
.
allowed_element?
(
node
.
name
)
end
end
def
scrub_attributes
(
node
)
if
@attributes
node
.
attributes
.
each
do
|
name
,
_
|
node
.
remove_attribute
(
name
)
unless
@attributes
.
include?
(
name
)
end
else
Loofah
::
HTML5
::
Scrub
.
scrub_attributes
(
node
)
end
end
def
text_or_cdata_node?
(
node
)
case
node
.
type
when
Nokogiri
::
XML
::
Node
::
TEXT_NODE
,
Nokogiri
::
XML
::
Node
::
CDATA_SECTION_NODE
return
true
end
false
end
def
validate!
(
var
,
name
)
if
var
&&
!
var
.
is_a?
(
Enumerable
)
raise
ArgumentError
,
"You should pass :
#{
name
}
as an Enumerable"
end
var
end
end
actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb
浏览文件 @
2622da17
require
'active_support/core_ext/class/attribute'
require
'active_support/deprecation'
require
'action_view/helpers/sanitize_helper/permit_scrubber'
require
'loofah'
module
ActionView
...
...
@@ -25,13 +26,23 @@ def sanitize(html, options = {})
end
class
WhiteListSanitizer
def
initialize
@permit_scrubber
=
PermitScrubber
.
new
end
def
sanitize
(
html
,
options
=
{})
return
nil
unless
html
validate_options
(
options
)
loofah_fragment
=
Loofah
.
fragment
(
html
)
loofah_fragment
.
scrub!
(
:strip
)
loofah_fragment
.
xpath
(
"./form"
).
each
{
|
form
|
form
.
remove
}
if
options
[
:tags
]
||
options
[
:attributes
]
@permit_scrubber
.
tags
=
options
[
:tags
]
@permit_scrubber
.
attributes
=
options
[
:attributes
]
loofah_fragment
.
scrub!
(
@permit_scrubber
)
else
loofah_fragment
.
scrub!
(
:strip
)
loofah_fragment
.
xpath
(
"./form"
).
each
{
|
form
|
form
.
remove
}
end
loofah_fragment
.
to_s
end
...
...
@@ -97,16 +108,6 @@ def bad_tags=(tags)
self
.
allowed_protocols
=
Loofah
::
HTML5
::
WhiteList
::
ALLOWED_PROTOCOLS
protected
def
validate_options
(
options
)
if
options
[
:tags
]
&&
!
options
[
:tags
].
is_a?
(
Enumerable
)
raise
ArgumentError
,
"You should pass :tags as an Enumerable"
end
if
options
[
:attributes
]
&&
!
options
[
:attributes
].
is_a?
(
Enumerable
)
raise
ArgumentError
,
"You should pass :attributes as an Enumerable"
end
end
def
contains_bad_protocols?
(
attr_name
,
value
)
protocol_separator
=
':'
self
.
uri_attributes
.
include?
(
attr_name
)
&&
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录