forked from coletivoEITA/noosfero-ecosol
-
Notifications
You must be signed in to change notification settings - Fork 4
/
xss_terminate.rb
94 lines (81 loc) · 2.73 KB
/
xss_terminate.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
module XssTerminate
def self.sanitize_by_default=(value)
@@sanitize_by_default = value
end
def self.included(base)
base.extend(ClassMethods)
# sets up default of stripping tags for all fields
# FIXME read value from environment.rb
@@sanitize_by_default = false
base.send(:xss_terminate) if @@sanitize_by_default
end
module ClassMethods
def xss_terminate(options = {})
options[:with] ||= 'full'
filter_with = 'sanitize_fields_with_' + options[:with]
# :on is util when before_filter dont work for model
case options[:on]
when 'create'
before_create filter_with
when 'validation'
before_validation filter_with
else
before_save filter_with
end
class_attribute "xss_terminate_#{options[:with]}_options".to_sym
self.send("xss_terminate_#{options[:with]}_options=".to_sym, {
:except => (options[:except] || []),
:only => (options[:only] || options[:sanitize] || [])
})
include XssTerminate::InstanceMethods
end
end
module InstanceMethods
def sanitize_field(sanitizer, field, serialized = false)
field = field.to_sym
if serialized
puts field
self[field].each_key { |key|
key = key.to_sym
self[field][key] = sanitizer.sanitize(self[field][key])
}
else
if self[field]
self[field] = sanitizer.sanitize(self[field])
else
self.send("#{field}=", sanitizer.sanitize(self.send("#{field}")))
end
end
end
def sanitize_columns(with = :full)
columns_serialized = self.class.serialized_attributes.keys
only = eval "xss_terminate_#{with}_options[:only]"
except = eval "xss_terminate_#{with}_options[:except]"
unless except.empty?
only.delete_if{ |i| except.include?( i.to_sym ) }
end
return only, columns_serialized
end
def sanitize_fields_with_full
sanitizer = ActionView::Base.full_sanitizer
columns, columns_serialized = sanitize_columns(:full)
columns.each do |column|
sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
end
end
def sanitize_fields_with_white_list
sanitizer = ActionView::Base.white_list_sanitizer
columns, columns_serialized = sanitize_columns(:white_list)
columns.each do |column|
sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
end
end
def sanitize_fields_with_html5lib
sanitizer = HTML5libSanitize.new
columns = sanitize_columns(:html5lib)
columns.each do |column|
sanitize_field(sanitizer, column.to_sym, columns_serialized.include?(column))
end
end
end
end