Class: Gitlab::Sanitizers::SVG::Scrubber

Inherits:
Loofah::Scrubber
  • Object
show all
Defined in:
lib/gitlab/sanitizers/svg.rb

Constant Summary collapse

DATA_ATTR_PATTERN =
/\Adata-(?!xml)[a-z_][\w.\u00E0-\u00F6\u00F8-\u017F\u01DD-\u02AF-]*\z/u

Instance Method Summary collapse

Instance Method Details

#scrub(node) ⇒ Object


14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
# File 'lib/gitlab/sanitizers/svg.rb', line 14

def scrub(node)
  unless ALLOWED_ELEMENTS.include?(node.name)
    node.unlink
  else
    node.attributes.each do |attr_name, attr|
      valid_attributes = ALLOWED_ATTRIBUTES[node.name]

      unless valid_attributes && valid_attributes.include?(attr_name)
        if ALLOWED_DATA_ATTRIBUTES_IN_ELEMENTS.include?(node.name) &&
            attr_name.start_with?('data-')
          # Arbitrary data attributes are allowed. Verify that the attribute
          # is a valid data attribute.
          attr.unlink unless attr_name =~ DATA_ATTR_PATTERN
        else
          attr.unlink
        end
      end
    end
  end
end