Class: Rack::Protection::EscapedParams
- Defined in:
- lib/rack/protection/escaped_params.rb
Overview
- Prevented attack
-
XSS
- Supported browsers
-
all
- More infos
Automatically escapes Rack::Request#params so they can be embedded in HTML or JavaScript without any further issues. Calls html_safe
on the escaped strings if defined, to avoid double-escaping in Rails.
Options:
- escape
-
What escaping modes to use, should be Symbol or Array of Symbols. Available: :html (default), :javascript, :url
Constant Summary
Constants inherited from Base
Instance Attribute Summary
Attributes inherited from Base
Instance Method Summary collapse
- #call(env) ⇒ Object
- #escape(object) ⇒ Object
- #escape_hash(hash) ⇒ Object
- #handle(hash) ⇒ Object
-
#initialize ⇒ EscapedParams
constructor
A new instance of EscapedParams.
Methods inherited from Base
#accepts?, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #random_string, #react, #referrer, #safe?, #session, #session?, #warn
Constructor Details
#initialize ⇒ EscapedParams
Returns a new instance of EscapedParams.
21 22 23 24 25 26 27 |
# File 'lib/rack/protection/escaped_params.rb', line 21 def initialize(*) super modes = Array [:escape] code = "def self.escape_string(str) %s end" modes.each { |m| code %= "EscapeUtils.escape_#{m}(%s)"} eval code % 'str' end |
Instance Method Details
#call(env) ⇒ Object
29 30 31 32 33 34 35 36 37 |
# File 'lib/rack/protection/escaped_params.rb', line 29 def call(env) request = Request.new(env) get_was = handle(request.GET) post_was = handle(request.POST) rescue nil app.call env ensure request.GET.replace get_was request.POST.replace post_was if post_was end |
#escape(object) ⇒ Object
45 46 47 48 49 50 51 52 |
# File 'lib/rack/protection/escaped_params.rb', line 45 def escape(object) case object when Hash then escape_hash(object) when Array then object.map { |o| escape(o) } when String then escape_string(object) else raise ArgumentError, "cannot escape #{object.inspect}" end end |
#escape_hash(hash) ⇒ Object
54 55 56 57 58 |
# File 'lib/rack/protection/escaped_params.rb', line 54 def escape_hash(hash) hash = hash.dup hash.each { |k,v| hash[k] = escape(v) } hash end |
#handle(hash) ⇒ Object
39 40 41 42 43 |
# File 'lib/rack/protection/escaped_params.rb', line 39 def handle(hash) was = hash.dup hash.replace escape(hash) was end |