Class: Owasp::Esapi::Sanitizer::Xss

Inherits:
Object
  • Object
show all
Defined in:
lib/sanitizer/xss.rb

Overview

This is the Cross site scripting sanitizer class. The XSS Cheat sheet at Owasp site

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(smart = false) ⇒ Xss

Creates a new sanitizer

Parameters:

  • , (Boolean)

    smart. A boolean that says if sanitizer can blindly escape all 'dangerous' characters in their html entity or rather if it should try to guess if the string needs sanitizing is a xss attack vector or not and then let the string to pass by.


15
16
17
# File 'lib/sanitizer/xss.rb', line 15

def initialize(smart=false)
  self.smart= smart
end

Instance Attribute Details

#smartObject

Returns the value of attribute smart


9
10
11
# File 'lib/sanitizer/xss.rb', line 9

def smart
  @smart
end

Instance Method Details

#sanitize(tainted) ⇒ String

Todo, we should really investigate if dangerous chars have to be trimmed or substituted. I'm (Paolo) choosing substitute right now… we'll change it later.

Parameters:

  • , (String)

    tainted. The string needs to be sanitized

Returns:

  • (String)

    the input string sanitized equivalent


23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
# File 'lib/sanitizer/xss.rb', line 23

def sanitize(tainted)
  untainted = tainted
    
  untainted = rule1_sanitize(tainted)
    
  # Start - RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
  # End - RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
    
  # Start - RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values
  # End - RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values
    
  # Start - RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property Values
  # End - RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property Values
  
  untainted
end