Class: Rack::Protection::EscapedParams

Inherits:

Object
Base
Rack::Protection::EscapedParams

Defined in:: lib/rack/protection/escaped_params.rb

Overview

Prevented attack: XSS
Supported browsers: all
More infos: en.wikipedia.org/wiki/Cross-site_scripting

Automatically escapes Rack::Request#params so they can be embedded in HTML or JavaScript without any further issues. Calls html_safe on the escaped strings if defined, to avoid double-escaping in Rails.

Options:

escape: What escaping modes to use, should be Symbol or Array of Symbols. Available: :html (default), :javascript, :url

Constant Summary

Constants inherited from Base

Base::DEFAULT_OPTIONS

Instance Attribute Summary

Attributes inherited from Base

#app, #options

Instance Method Summary collapse

#call(env) ⇒ Object
#escape(object) ⇒ Object
#escape_hash(hash) ⇒ Object
#handle(hash) ⇒ Object
#initialize ⇒ EscapedParams constructor

A new instance of EscapedParams.

Methods inherited from Base

#accepts?, #default_options, default_options, default_reaction, #deny, #drop_session, #encrypt, #random_string, #react, #referrer, #safe?, #session, #session?, #warn

Constructor Details

#initialize ⇒ `EscapedParams`

Returns a new instance of EscapedParams.

# File 'lib/rack/protection/escaped_params.rb', line 21

def initialize(*)
  super
  modes = Array options[:escape]
  code  = "def self.escape_string(str) %s end"
  modes.each { |m| code %= "EscapeUtils.escape_#{m}(%s)"}
  eval code % 'str'
end

Instance Method Details

#call(env) ⇒ `Object`

# File 'lib/rack/protection/escaped_params.rb', line 29

def call(env)
  request  = Request.new(env)
  get_was  = handle(request.GET)
  post_was = handle(request.POST) rescue nil
  app.call env
ensure
  request.GET.replace get_was
  request.POST.replace post_was if post_was
end

#escape(object) ⇒ `Object`

# File 'lib/rack/protection/escaped_params.rb', line 45

def escape(object)
  case object
  when Hash   then escape_hash(object)
  when Array  then object.map { |o| escape(o) }
  when String then escape_string(object)
  else raise ArgumentError, "cannot escape #{object.inspect}"
  end
end

#escape_hash(hash) ⇒ `Object`

# File 'lib/rack/protection/escaped_params.rb', line 54

def escape_hash(hash)
  hash = hash.dup
  hash.each { |k,v| hash[k] = escape(v) }
  hash
end

#handle(hash) ⇒ `Object`

# File 'lib/rack/protection/escaped_params.rb', line 39

def handle(hash)
  was = hash.dup
  hash.replace escape(hash)
  was
end