#7 xss対策

app/helpers/application_helper.rb

@@ -11,15 +11,25 @@ def full_title(html_title = '')
   end
 
   def text_contain_url(text)
-      URI.extract(text, ['http', 'https']).uniq.each do |url|
-          sub_text = "" << "<a href=" << url << " target=\"_blank\">" << url << "</a>"
-          text.gsub!(url, sub_text)
-      end
-      return text
+    URI.extract(text, ['http', 'https']).uniq.each do |url|
+      sub_text = "" << "<a href=" << url << " target=\"_blank\">" << url << "</a>"
+      text.gsub!(url, sub_text)
+    end
+    return text
+  end
+
+  def parent_layout(layout)
+    @view_flow.set(:layout, self.output_buffer)
+    self.output_buffer = render(file: "layouts/#{layout}")
+  end
+
+  def to_xss_safe_url(text)
+    if text.match(StoreUrl::PERMIT_URL_REGEX)
+      text
+    else
+      ''
+    end
   end
 
-   def parent_layout(layout)
-       @view_flow.set(:layout, self.output_buffer)
-       self.output_buffer = render(file: "layouts/#{layout}")
-   end
+
 end

app/models/store_url.rb

@@ -1,7 +1,9 @@
 class StoreUrl < ApplicationRecord
+  PERMIT_URL_REGEX=/\A#{URI::regexp(%w(http https))}\z/
+
   belongs_to :game
   belongs_to :platform
 
-  validates :url, presence: true, length: {maximum: 256}, format: /\A#{URI::regexp(%w(http https))}\z/
+  validates :url, presence: true, length: {maximum: 256}, format: PERMIT_URL_REGEX
   validates :memo, length: {maximum: 256}
 end

app/views/games/show.html.erb

@@ -35,7 +35,7 @@
                 <% @game.store_urls.each do |s| %>
                     <li>
                       <span class="icon-<%= s.platform.code %>" aria-hidden="true"></span>
-                      <%= link_to s.url, s.url, target: '_blank' %>
+                      <%= link_to to_xss_safe_url(s.url), to_xss_safe_url(s.url), target: '_blank' %>
                     </li>
                 <% end %>
               </ul>