Sanitizes a block of css code. Used by # when it comes across a style attribute
# File lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 107 107: def sanitize_css(style) 108: # disallow urls 109: style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ') 110: 111: # gauntlet 112: if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ || 113: style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/ 114: return '' 115: end 116: 117: clean = [] 118: style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val| 119: if allowed_css_properties.include?(prop.downcase) 120: clean << prop + ': ' + val + ';' 121: elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) 122: unless val.split().any? do |keyword| 123: !allowed_css_keywords.include?(keyword) && 124: keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/ 125: end 126: clean << prop + ': ' + val + ';' 127: end 128: end 129: end 130: clean.join(' ') 131: end
# File lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 171 171: def contains_bad_protocols?(attr_name, value) 172: uri_attributes.include?(attr_name) && 173: (value =~ /(^[^\/:]*):|(�*58)|(p)|(%|%)3A/ && !allowed_protocols.include?(value.split(protocol_separator).first)) 174: end
# File lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 158 158: def process_attributes_for(node, options) 159: return unless node.attributes 160: node.attributes.keys.each do |attr_name| 161: value = node.attributes[attr_name].to_s 162: 163: if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value) 164: node.attributes.delete(attr_name) 165: else 166: node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value)) 167: end 168: end 169: end
# File lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 141 141: def process_node(node, result, options) 142: result << case node 143: when HTML::Tag 144: if node.closing == :close 145: options[:parent].shift 146: else 147: options[:parent].unshift node.name 148: end 149: 150: process_attributes_for node, options 151: 152: options[:tags].include?(node.name) ? node : nil 153: else 154: bad_tags.include?(options[:parent].first) ? nil : node.to_s.gsub(/</, "<") 155: end 156: end
Disabled; run with --debug to generate this.
Generated with the Darkfish Rdoc Generator 1.1.6.