Module: Gitlab::Utils::SanitizeNodeLink
- Included in:
- Banzai::Filter::AutolinkFilter, Banzai::Filter::BaseSanitizationFilter, Banzai::Filter::WikiLinkFilter
- Defined in:
- lib/gitlab/utils/sanitize_node_link.rb
Constant Summary collapse
- UNSAFE_PROTOCOLS =
%w[data javascript vbscript].freeze
- ATTRS_TO_SANITIZE =
%w[href src data-src data-canonical-src].freeze
Instance Method Summary collapse
- #remove_unsafe_links(env, remove_invalid_links: true) ⇒ Object
-
#safe_protocol?(scheme) ⇒ Boolean
Remove all invalid scheme characters before checking against the list of unsafe protocols.
-
#sanitize_unsafe_links(env) ⇒ Object
sanitize 6.0 requires only a context argument.
Instance Method Details
#remove_unsafe_links(env, remove_invalid_links: true) ⇒ Object
17 18 19 20 21 22 23 24 25 26 27 28 |
# File 'lib/gitlab/utils/sanitize_node_link.rb', line 17 def remove_unsafe_links(env, remove_invalid_links: true) node = env[:node] sanitize_node(node: node, remove_invalid_links: remove_invalid_links) # HTML entities such as <video></video> have scannable attrs in # children elements, which also need to be sanitized. # node.children.each do |child_node| sanitize_node(node: child_node, remove_invalid_links: remove_invalid_links) end end |
#safe_protocol?(scheme) ⇒ Boolean
Remove all invalid scheme characters before checking against the list of unsafe protocols.
35 36 37 38 39 40 41 42 43 44 |
# File 'lib/gitlab/utils/sanitize_node_link.rb', line 35 def safe_protocol?(scheme) return false unless scheme scheme = scheme .strip .downcase .gsub(/[^A-Za-z\+\.\-]+/, '') UNSAFE_PROTOCOLS.none?(scheme) end |
#sanitize_unsafe_links(env) ⇒ Object
sanitize 6.0 requires only a context argument. Do not add any default arguments to this method.
13 14 15 |
# File 'lib/gitlab/utils/sanitize_node_link.rb', line 13 def sanitize_unsafe_links(env) remove_unsafe_links(env) end |