Added LinkScrubber to remove duplication in LinkSanitizer. As such ma…

…de PermitScrubber easier to subclass.
kaspth · Jun 16, 2014 · 1cdc511 · 1cdc511
1 parent 739ecdf
commit 1cdc511
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 11 deletions.
diff --git a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb
@@ -1,6 +1,6 @@
 require 'active_support/core_ext/class/attribute'
 require 'active_support/deprecation'
-require 'action_view/helpers/sanitize_helper/permit_scrubber'
+require 'action_view/helpers/sanitize_helper/scrubbers'
 
 module ActionView
   XPATHS_TO_REMOVE = %w{.//script .//form comment()}
@@ -34,15 +34,7 @@ def sanitize(html, options = {})
 
   class LinkSanitizer < Sanitizer
     def initialize
-      @strip_tags = %w(a href)
-      @link_scrubber = Loofah::Scrubber.new do |node|
-        if @strip_tags.include?(node.name)
-          node.before node.children
-          node.remove
-        else
-          Loofah::HTML5::Scrub.scrub_attributes(node)
-        end
-      end
+      @link_scrubber = LinkScrubber.new
     end
 
     def sanitize(html, options = {})

diff --git a/...elpers/sanitize_helper/permit_scrubber.rb → ...view/helpers/sanitize_helper/scrubbers.rb b/...elpers/sanitize_helper/permit_scrubber.rb → ...view/helpers/sanitize_helper/scrubbers.rb
@@ -11,6 +11,9 @@
 # +attributes=+
 # Contain an elements allowed attributes.
 # If none is set HTML5::Scrub.scrub_attributes implementation will be used.
+#
+# Subclass PermitScrubber to provide your own definition of
+# when a node is allowed and how attributes should be scrubbed.
 class PermitScrubber < Loofah::Scrubber
   # :nodoc:
   attr_reader :tags, :attributes
@@ -24,7 +27,7 @@ def attributes=(attributes)
   end
 
   def scrub(node)
-    return CONTINUE if text_or_cdata_node?(node)
+    return CONTINUE if should_skip_node?(node)
 
     unless allowed_node?(node)
       node.before node.children # strip
@@ -55,6 +58,10 @@ def scrub_attributes(node)
     end
   end
 
+  def should_skip_node?(node)
+    text_or_cdata_node?(node)
+  end
+
   def text_or_cdata_node?(node)
     case node.type
     when Nokogiri::XML::Node::TEXT_NODE, Nokogiri::XML::Node::CDATA_SECTION_NODE
@@ -70,3 +77,15 @@ def validate!(var, name)
     var
   end
 end
+
+# LinkScrubber overrides PermitScrubbers +allowed_node?+ to any nodes
+# which names aren't a or href
+class LinkScrubber < PermitScrubber
+  def initialize
+    @strip_tags = %w(a href)
+  end
+
+  def allowed_node?(node)
+    !@strip_tags.include?(node.name)
+  end
+end