Module: Loofah::XssFoliate::ClassMethods

Defined in:
lib/loofah/activerecord/xss_foliate.rb

Overview

A replacement for

XssTerminate[http://github.com/look/xss_terminate/tree/master],
XssFoliate will strip all tags from your ActiveRecord models'
string and text attributes.

See Loofah::XssFoliate for more example usage.

Constant Summary collapse

SYMBOL_OPTIONS =

:stopdoc:

[:except, :html5lib_sanitize, :sanitize, :unencode_special_chars] + Loofah::Scrubbers.scrubber_symbols
BOOLEAN_OPTIONS = 
{:encode_special_chars => true}
ALIASED_SYMBOL_OPTIONS = 
{:html5lib_sanitize => :escape, :sanitize => :strip}
REAL_SYMBOL_OPTIONS = 
SYMBOL_OPTIONS - ALIASED_SYMBOL_OPTIONS.keys
VALID_OPTIONS = 
SYMBOL_OPTIONS + BOOLEAN_OPTIONS.keys + ALIASED_SYMBOL_OPTIONS.keys

Class Method Summary collapse

Instance Method Summary collapse

Class Method Details

.extended(base) ⇒ Object

:startdoc:



106
107
108
109
110
111
 
# File 'lib/loofah/activerecord/xss_foliate.rb', line 106

def self.extended(base)
  # Rails 3.0 and later
  if base.respond_to?(:class_attribute)
    base.send(:class_attribute, :xss_foliate_options)
  end
end

Instance Method Details

#xss_foliate(options = {}) ⇒ Object

Annotate your model with this method to specify which fields

you want scrubbed, and how you want them scrubbed. XssFoliate
assumes all character fields are HTML fragments (as opposed to
full documents, see the Loofah[http://loofah.rubyforge.org/]
documentation for a full explanation of the difference).

Example call:

 xss_foliate :except => :author, :strip => :body, :prune => [:title, :description]

*Note* that the values in the options hash can be either an
array of attributes or a single attribute.

Options:

 :except => [fields] # don't scrub these fields
 :strip  => [fields] # strip unsafe tags from these fields
 :escape => [fields] # escape unsafe tags from these fields
 :prune  => [fields] # prune unsafe tags and subtrees from these fields
 :text   => [fields] # remove everything except the inner text from these fields

XssTerminate compatibility options (note that the default
behavior in XssTerminate corresponds to :text)

 :html5lib_sanitize => [fields] # same as :escape
 :sanitize          => [fields] # same as :strip

The default is :text for all fields unless otherwise specified.



143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
 
# File 'lib/loofah/activerecord/xss_foliate.rb', line 143

def xss_foliate(options = {})
  callback_already_declared = \
  if respond_to?(:class_attribute)
    # Rails 3.0 and later
    false
  elsif respond_to?(:before_validation_callback_chain)
    # Rails 2.1 and later
    before_validation_callback_chain.any? {|cb| cb.method == :xss_foliate_fields}
  else
    # Rails 2.0
    cbs = read_inheritable_attribute(:before_validation)
    (! cbs.nil?) && cbs.any? {|cb| cb == :xss_foliate_fields}
  end

  unless callback_already_declared
    before_validation        :xss_foliate_fields
    unless respond_to?(:class_attribute)
      # Rails 3.0 and later
      class_inheritable_reader :xss_foliate_options
    end
    include XssFoliate::InstanceMethods
  end

  options.keys.each do |option|
    raise ArgumentError, "unknown xss_foliate option #{option}" unless VALID_OPTIONS.include?(option)
  end

  REAL_SYMBOL_OPTIONS.each do |option|
    options[option] = Array(options[option]).collect { |val| val.to_sym }
  end

  ALIASED_SYMBOL_OPTIONS.each do |option, real|
    options[real] += Array(options.delete(option)).collect { |val| val.to_sym } if options[option]
  end

  BOOLEAN_OPTIONS.each do |option, default|
    case options[option]
    when FalseClass
    when TrueClass
    when NilClass
      options[option] = default
    else
      raise "option #{option} only accepts `true` or `false` values"
    end
  end

  if respond_to?(:class_attribute)
    # Rails 3.0 and later
    self.xss_foliate_options = options
  else
    write_inheritable_attribute(:xss_foliate_options, options)
  end
end

#xss_foliated?Boolean

Class method to determine whether or not this model is applying

xss_foliation to its attributes. Could be useful in test suites.

Returns:

  • (Boolean) 


201
202
203
204
205
206
207
208
209
210
 
# File 'lib/loofah/activerecord/xss_foliate.rb', line 201

def xss_foliated?
  options =
    if respond_to?(:class_attribute)
      # Rails 3.0 and later
      xss_foliate_options
    else
      read_inheritable_attribute(:xss_foliate_options)
    end
  ! (options.nil? || options.empty?)
end