@@ -12,7 +12,8 @@ module XssTerminate write_inheritable_attribute(:xss_terminate_options, { :except => (options[:except] || []), :html5lib_sanitize => (options[:html5lib_sanitize] || []), - :sanitize => (options[:sanitize] || []) + :sanitize => (options[:sanitize] || []), + :options => (options[:options] || {}) }) class_inheritable_reader :xss_terminate_options @@ -41,7 +42,7 @@ module XssTerminate elsif xss_terminate_options[:html5lib_sanitize].include?(field) self[field] = HTML5libSanitize.new.sanitize_html(value) elsif xss_terminate_options[:sanitize].include?(field) - self[field] = RailsSanitize.white_list_sanitizer.sanitize(value) + self[field] = RailsSanitize.white_list_sanitizer.sanitize(value, xss_terminate_options[:options].clone) else self[field] = RailsSanitize.full_sanitizer.sanitize(value) end lib/xss_terminate.rb @@ -3,5 +3,5 @@ class Entry < ActiveRecord::Base belongs_to :person has_many :comments - xss_terminate :sanitize => [:body, :extended] + xss_terminate :sanitize => [:body, :extended], :options => {:tags => %w(strong i)} end test/models/entry.rb @@ -25,6 +25,15 @@ class XssTerminateTest < Test::Unit::TestCase assert_equal "", e.extended end + def test_rails_sanitization_with_options + e = Entry.create!(:title => 'Title', + :body => '<script>alert("xss in body")</script><strong>Bold</strong><i>Italic</i><p>Paragraph</p>', + :extended => '<script>alert("xss in extended")</script>', + :person_id => 1) + assert_equal '<strong>Bold</strong><i>Italic</i>Paragraph', e.body + assert_equal '', e.extended + end + def test_excepting_specified_fields p = Person.create!(:name => "<strong>Mallory</strong>") test/xss_terminate_test.rb 70f470f811d4b1e5fccb4c41db8f7b4053b373c5 ebolshakov ebolshakov@ebolshakov-desktop.(none) http://github.com/jasherai/xss_terminate/commit/e852fcadb92f2a0d6ec861cda20ee81865c09030 e852fcadb92f2a0d6ec861cda20ee81865c09030 2008-07-15T10:28:26-07:00 2008-07-15T10:28:26-07:00 Added 'options' parameter to the xss_terminate method to pass additional options to the rails sanitize method (like allowed tags & attributes) e1e48e6d565ca2d57da1360b6619c905a21b4bc0 ebolshakov ebolshakov@ebolshakov-desktop.(none)