From 9b7071d190ccf5d84c8b9a86db0a07ae4b66509c Mon Sep 17 00:00:00 2001 From: Jacques Distler Date: Fri, 9 Oct 2009 14:02:07 -0500 Subject: [PATCH] Update Sanitizer Docs They were a bit out-of-sync with what the sanitizer actually does. --- lib/sanitizer.rb | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/sanitizer.rb b/lib/sanitizer.rb index 7052443d..bcfb143a 100644 --- a/lib/sanitizer.rb +++ b/lib/sanitizer.rb @@ -113,13 +113,17 @@ module Sanitizer # Sanitize the +html+, escaping all elements not in ALLOWED_ELEMENTS, and stripping out all # attributes not in ALLOWED_ATTRIBUTES. Style attributes are parsed, and a restricted set, # specified by ALLOWED_CSS_PROPERTIES and ALLOWED_CSS_KEYWORDS, are allowed through. - # attributes in ATTR_VAL_IS_URI are scanned, and only URI schemes specified in + # Attributes in ATTR_VAL_IS_URI are scanned, and only URI schemes specified in # ALLOWED_PROTOCOLS are allowed. + # Certain SVG attributes (SVG_ATTR_VAL_ALLOWS_REF) may take a url as a value. These are restricted to + # fragment-id's (in-document references). Certain SVG elements (SVG_ALLOW_LOCAL_HREF) allow href attributes + # which, again, are restricted to be fragment-id's. + # # You can adjust what gets sanitized, by defining these constant arrays before this Module is loaded. # - # sanitize_xhtml('') + # xhtml_sanitize('') # => <script> do_nasty_stuff() </script> - # sanitize_xhtml('Click here for $100') + # xhtml_sanitize_xhtml('Click here for $100') # => Click here for $100 def xhtml_sanitize(html) if html.index("<") @@ -165,7 +169,7 @@ module Sanitizer node.attributes.delete attr; next end end - val = val.to_s.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if SVG_ATTR_VAL_ALLOWS_REF.include?(attr) + val = val.to_s.gsub(/url\s*\(\s*[^#\s][^)]+?\)/mi, ' ') if SVG_ATTR_VAL_ALLOWS_REF.include?(attr) val = sanitize_css(val) if attr == 'style' node.attributes[attr] = val end