Skip to content
Browse files

Added 'options' parameter to the xss_terminate method to pass additio…

…nal options to the rails sanitize method (like allowed tags & attributes)
  • Loading branch information...
1 parent 70f470f commit e852fcadb92f2a0d6ec861cda20ee81865c09030 ebolshakov committed Jul 15, 2008
Showing with 13 additions and 3 deletions.
  1. +3 −2 lib/xss_terminate.rb
  2. +1 −1 test/models/entry.rb
  3. +9 −0 test/xss_terminate_test.rb
View
5 lib/xss_terminate.rb
@@ -12,7 +12,8 @@ def xss_terminate(options = {})
write_inheritable_attribute(:xss_terminate_options, {
:except => (options[:except] || []),
:html5lib_sanitize => (options[:html5lib_sanitize] || []),
- :sanitize => (options[:sanitize] || [])
+ :sanitize => (options[:sanitize] || []),
+ :options => (options[:options] || {})
})
class_inheritable_reader :xss_terminate_options
@@ -41,7 +42,7 @@ def sanitize_fields
elsif xss_terminate_options[:html5lib_sanitize].include?(field)
self[field] = HTML5libSanitize.new.sanitize_html(value)
elsif xss_terminate_options[:sanitize].include?(field)
- self[field] = RailsSanitize.white_list_sanitizer.sanitize(value)
+ self[field] = RailsSanitize.white_list_sanitizer.sanitize(value, xss_terminate_options[:options].clone)
else
self[field] = RailsSanitize.full_sanitizer.sanitize(value)
end
View
2 test/models/entry.rb
@@ -3,5 +3,5 @@ class Entry < ActiveRecord::Base
belongs_to :person
has_many :comments
- xss_terminate :sanitize => [:body, :extended]
+ xss_terminate :sanitize => [:body, :extended], :options => {:tags => %w(strong i)}
end
View
9 test/xss_terminate_test.rb
@@ -25,6 +25,15 @@ def test_rails_sanitization_on_specified_fields
assert_equal "", e.extended
end
+ def test_rails_sanitization_with_options
+ e = Entry.create!(:title => 'Title',
+ :body => '<script>alert("xss in body")</script><strong>Bold</strong><i>Italic</i><p>Paragraph</p>',
+ :extended => '<script>alert("xss in extended")</script>',
+ :person_id => 1)
+ assert_equal '<strong>Bold</strong><i>Italic</i>Paragraph', e.body
+ assert_equal '', e.extended
+ end
+
def test_excepting_specified_fields
p = Person.create!(:name => "<strong>Mallory</strong>")

1 comment on commit e852fca

@look
look commented on e852fca Jan 2, 2009

Hey, I finally moved xss_terminate’s repository to GitHub: http://github.com/look/xss_terminate/tree/master

I’d love it if you’d submit a patch with this enhancement to that repository.

Regards,
Luke Francl

Please sign in to comment.
Something went wrong with that request. Please try again.