actionview 4.1.0.beta1
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of actionview might be problematic. Click here for more details.
- checksums.yaml +7 -0
- data/CHANGELOG.md +274 -0
- data/MIT-LICENSE +21 -0
- data/README.rdoc +34 -0
- data/lib/action_view.rb +97 -0
- data/lib/action_view/base.rb +205 -0
- data/lib/action_view/buffers.rb +49 -0
- data/lib/action_view/context.rb +36 -0
- data/lib/action_view/dependency_tracker.rb +93 -0
- data/lib/action_view/digestor.rb +116 -0
- data/lib/action_view/flows.rb +76 -0
- data/lib/action_view/helpers.rb +64 -0
- data/lib/action_view/helpers/active_model_helper.rb +49 -0
- data/lib/action_view/helpers/asset_tag_helper.rb +322 -0
- data/lib/action_view/helpers/asset_url_helper.rb +355 -0
- data/lib/action_view/helpers/atom_feed_helper.rb +203 -0
- data/lib/action_view/helpers/cache_helper.rb +200 -0
- data/lib/action_view/helpers/capture_helper.rb +216 -0
- data/lib/action_view/helpers/controller_helper.rb +25 -0
- data/lib/action_view/helpers/csrf_helper.rb +30 -0
- data/lib/action_view/helpers/date_helper.rb +1075 -0
- data/lib/action_view/helpers/debug_helper.rb +39 -0
- data/lib/action_view/helpers/form_helper.rb +1876 -0
- data/lib/action_view/helpers/form_options_helper.rb +843 -0
- data/lib/action_view/helpers/form_tag_helper.rb +746 -0
- data/lib/action_view/helpers/javascript_helper.rb +75 -0
- data/lib/action_view/helpers/number_helper.rb +425 -0
- data/lib/action_view/helpers/output_safety_helper.rb +38 -0
- data/lib/action_view/helpers/record_tag_helper.rb +108 -0
- data/lib/action_view/helpers/rendering_helper.rb +90 -0
- data/lib/action_view/helpers/sanitize_helper.rb +256 -0
- data/lib/action_view/helpers/tag_helper.rb +176 -0
- data/lib/action_view/helpers/tags.rb +41 -0
- data/lib/action_view/helpers/tags/base.rb +148 -0
- data/lib/action_view/helpers/tags/check_box.rb +64 -0
- data/lib/action_view/helpers/tags/checkable.rb +16 -0
- data/lib/action_view/helpers/tags/collection_check_boxes.rb +44 -0
- data/lib/action_view/helpers/tags/collection_helpers.rb +85 -0
- data/lib/action_view/helpers/tags/collection_radio_buttons.rb +36 -0
- data/lib/action_view/helpers/tags/collection_select.rb +28 -0
- data/lib/action_view/helpers/tags/color_field.rb +25 -0
- data/lib/action_view/helpers/tags/date_field.rb +13 -0
- data/lib/action_view/helpers/tags/date_select.rb +72 -0
- data/lib/action_view/helpers/tags/datetime_field.rb +22 -0
- data/lib/action_view/helpers/tags/datetime_local_field.rb +19 -0
- data/lib/action_view/helpers/tags/datetime_select.rb +8 -0
- data/lib/action_view/helpers/tags/email_field.rb +8 -0
- data/lib/action_view/helpers/tags/file_field.rb +8 -0
- data/lib/action_view/helpers/tags/grouped_collection_select.rb +29 -0
- data/lib/action_view/helpers/tags/hidden_field.rb +8 -0
- data/lib/action_view/helpers/tags/label.rb +65 -0
- data/lib/action_view/helpers/tags/month_field.rb +13 -0
- data/lib/action_view/helpers/tags/number_field.rb +18 -0
- data/lib/action_view/helpers/tags/password_field.rb +12 -0
- data/lib/action_view/helpers/tags/radio_button.rb +31 -0
- data/lib/action_view/helpers/tags/range_field.rb +8 -0
- data/lib/action_view/helpers/tags/search_field.rb +24 -0
- data/lib/action_view/helpers/tags/select.rb +41 -0
- data/lib/action_view/helpers/tags/tel_field.rb +8 -0
- data/lib/action_view/helpers/tags/text_area.rb +18 -0
- data/lib/action_view/helpers/tags/text_field.rb +29 -0
- data/lib/action_view/helpers/tags/time_field.rb +13 -0
- data/lib/action_view/helpers/tags/time_select.rb +8 -0
- data/lib/action_view/helpers/tags/time_zone_select.rb +20 -0
- data/lib/action_view/helpers/tags/url_field.rb +8 -0
- data/lib/action_view/helpers/tags/week_field.rb +13 -0
- data/lib/action_view/helpers/text_helper.rb +447 -0
- data/lib/action_view/helpers/translation_helper.rb +111 -0
- data/lib/action_view/helpers/url_helper.rb +625 -0
- data/lib/action_view/layouts.rb +426 -0
- data/lib/action_view/locale/en.yml +56 -0
- data/lib/action_view/log_subscriber.rb +44 -0
- data/lib/action_view/lookup_context.rb +249 -0
- data/lib/action_view/model_naming.rb +12 -0
- data/lib/action_view/path_set.rb +77 -0
- data/lib/action_view/railtie.rb +49 -0
- data/lib/action_view/record_identifier.rb +84 -0
- data/lib/action_view/renderer/abstract_renderer.rb +47 -0
- data/lib/action_view/renderer/partial_renderer.rb +492 -0
- data/lib/action_view/renderer/renderer.rb +50 -0
- data/lib/action_view/renderer/streaming_template_renderer.rb +103 -0
- data/lib/action_view/renderer/template_renderer.rb +96 -0
- data/lib/action_view/rendering.rb +145 -0
- data/lib/action_view/routing_url_for.rb +109 -0
- data/lib/action_view/tasks/dependencies.rake +17 -0
- data/lib/action_view/template.rb +340 -0
- data/lib/action_view/template/error.rb +141 -0
- data/lib/action_view/template/handlers.rb +53 -0
- data/lib/action_view/template/handlers/builder.rb +26 -0
- data/lib/action_view/template/handlers/erb.rb +145 -0
- data/lib/action_view/template/handlers/raw.rb +11 -0
- data/lib/action_view/template/resolver.rb +329 -0
- data/lib/action_view/template/text.rb +34 -0
- data/lib/action_view/template/types.rb +57 -0
- data/lib/action_view/test_case.rb +272 -0
- data/lib/action_view/testing/resolvers.rb +50 -0
- data/lib/action_view/vendor/html-scanner.rb +20 -0
- data/lib/action_view/vendor/html-scanner/html/document.rb +68 -0
- data/lib/action_view/vendor/html-scanner/html/node.rb +532 -0
- data/lib/action_view/vendor/html-scanner/html/sanitizer.rb +188 -0
- data/lib/action_view/vendor/html-scanner/html/selector.rb +830 -0
- data/lib/action_view/vendor/html-scanner/html/tokenizer.rb +107 -0
- data/lib/action_view/vendor/html-scanner/html/version.rb +11 -0
- data/lib/action_view/version.rb +11 -0
- data/lib/action_view/view_paths.rb +96 -0
- metadata +218 -0
@@ -0,0 +1,38 @@
|
|
1
|
+
require 'active_support/core_ext/string/output_safety'
|
2
|
+
|
3
|
+
module ActionView #:nodoc:
|
4
|
+
# = Action View Raw Output Helper
|
5
|
+
module Helpers #:nodoc:
|
6
|
+
module OutputSafetyHelper
|
7
|
+
# This method outputs without escaping a string. Since escaping tags is
|
8
|
+
# now default, this can be used when you don't want Rails to automatically
|
9
|
+
# escape tags. This is not recommended if the data is coming from the user's
|
10
|
+
# input.
|
11
|
+
#
|
12
|
+
# For example:
|
13
|
+
#
|
14
|
+
# raw @user.name
|
15
|
+
# # => 'Jimmy <alert>Tables</alert>'
|
16
|
+
def raw(stringish)
|
17
|
+
stringish.to_s.html_safe
|
18
|
+
end
|
19
|
+
|
20
|
+
# This method returns a html safe string similar to what <tt>Array#join</tt>
|
21
|
+
# would return. All items in the array, including the supplied separator, are
|
22
|
+
# html escaped unless they are html safe, and the returned string is marked
|
23
|
+
# as html safe.
|
24
|
+
#
|
25
|
+
# safe_join(["<p>foo</p>".html_safe, "<p>bar</p>"], "<br />")
|
26
|
+
# # => "<p>foo</p><br /><p>bar</p>"
|
27
|
+
#
|
28
|
+
# safe_join(["<p>foo</p>".html_safe, "<p>bar</p>".html_safe], "<br />".html_safe)
|
29
|
+
# # => "<p>foo</p><br /><p>bar</p>"
|
30
|
+
#
|
31
|
+
def safe_join(array, sep=$,)
|
32
|
+
sep = ERB::Util.html_escape(sep)
|
33
|
+
|
34
|
+
array.map { |i| ERB::Util.html_escape(i) }.join(sep).html_safe
|
35
|
+
end
|
36
|
+
end
|
37
|
+
end
|
38
|
+
end
|
@@ -0,0 +1,108 @@
|
|
1
|
+
require 'action_view/record_identifier'
|
2
|
+
|
3
|
+
module ActionView
|
4
|
+
# = Action View Record Tag Helpers
|
5
|
+
module Helpers
|
6
|
+
module RecordTagHelper
|
7
|
+
include ActionView::RecordIdentifier
|
8
|
+
|
9
|
+
# Produces a wrapper DIV element with id and class parameters that
|
10
|
+
# relate to the specified Active Record object. Usage example:
|
11
|
+
#
|
12
|
+
# <%= div_for(@person, class: "foo") do %>
|
13
|
+
# <%= @person.name %>
|
14
|
+
# <% end %>
|
15
|
+
#
|
16
|
+
# produces:
|
17
|
+
#
|
18
|
+
# <div id="person_123" class="person foo"> Joe Bloggs </div>
|
19
|
+
#
|
20
|
+
# You can also pass an array of Active Record objects, which will then
|
21
|
+
# get iterated over and yield each record as an argument for the block.
|
22
|
+
# For example:
|
23
|
+
#
|
24
|
+
# <%= div_for(@people, class: "foo") do |person| %>
|
25
|
+
# <%= person.name %>
|
26
|
+
# <% end %>
|
27
|
+
#
|
28
|
+
# produces:
|
29
|
+
#
|
30
|
+
# <div id="person_123" class="person foo"> Joe Bloggs </div>
|
31
|
+
# <div id="person_124" class="person foo"> Jane Bloggs </div>
|
32
|
+
#
|
33
|
+
def div_for(record, *args, &block)
|
34
|
+
content_tag_for(:div, record, *args, &block)
|
35
|
+
end
|
36
|
+
|
37
|
+
# content_tag_for creates an HTML element with id and class parameters
|
38
|
+
# that relate to the specified Active Record object. For example:
|
39
|
+
#
|
40
|
+
# <%= content_tag_for(:tr, @person) do %>
|
41
|
+
# <td><%= @person.first_name %></td>
|
42
|
+
# <td><%= @person.last_name %></td>
|
43
|
+
# <% end %>
|
44
|
+
#
|
45
|
+
# would produce the following HTML (assuming @person is an instance of
|
46
|
+
# a Person object, with an id value of 123):
|
47
|
+
#
|
48
|
+
# <tr id="person_123" class="person">....</tr>
|
49
|
+
#
|
50
|
+
# If you require the HTML id attribute to have a prefix, you can specify it:
|
51
|
+
#
|
52
|
+
# <%= content_tag_for(:tr, @person, :foo) do %> ...
|
53
|
+
#
|
54
|
+
# produces:
|
55
|
+
#
|
56
|
+
# <tr id="foo_person_123" class="person">...
|
57
|
+
#
|
58
|
+
# You can also pass an array of objects which this method will loop through
|
59
|
+
# and yield the current object to the supplied block, reducing the need for
|
60
|
+
# having to iterate through the object (using <tt>each</tt>) beforehand.
|
61
|
+
# For example (assuming @people is an array of Person objects):
|
62
|
+
#
|
63
|
+
# <%= content_tag_for(:tr, @people) do |person| %>
|
64
|
+
# <td><%= person.first_name %></td>
|
65
|
+
# <td><%= person.last_name %></td>
|
66
|
+
# <% end %>
|
67
|
+
#
|
68
|
+
# produces:
|
69
|
+
#
|
70
|
+
# <tr id="person_123" class="person">...</tr>
|
71
|
+
# <tr id="person_124" class="person">...</tr>
|
72
|
+
#
|
73
|
+
# content_tag_for also accepts a hash of options, which will be converted to
|
74
|
+
# additional HTML attributes. If you specify a <tt>:class</tt> value, it will be combined
|
75
|
+
# with the default class name for your object. For example:
|
76
|
+
#
|
77
|
+
# <%= content_tag_for(:li, @person, class: "bar") %>...
|
78
|
+
#
|
79
|
+
# produces:
|
80
|
+
#
|
81
|
+
# <li id="person_123" class="person bar">...
|
82
|
+
#
|
83
|
+
def content_tag_for(tag_name, single_or_multiple_records, prefix = nil, options = nil, &block)
|
84
|
+
options, prefix = prefix, nil if prefix.is_a?(Hash)
|
85
|
+
|
86
|
+
Array(single_or_multiple_records).map do |single_record|
|
87
|
+
content_tag_for_single_record(tag_name, single_record, prefix, options, &block)
|
88
|
+
end.join("\n").html_safe
|
89
|
+
end
|
90
|
+
|
91
|
+
private
|
92
|
+
|
93
|
+
# Called by <tt>content_tag_for</tt> internally to render a content tag
|
94
|
+
# for each record.
|
95
|
+
def content_tag_for_single_record(tag_name, record, prefix, options, &block)
|
96
|
+
options = options ? options.dup : {}
|
97
|
+
options[:class] = [ dom_class(record, prefix), options[:class] ].compact
|
98
|
+
options[:id] = dom_id(record, prefix)
|
99
|
+
|
100
|
+
if block_given?
|
101
|
+
content_tag(tag_name, capture(record, &block), options)
|
102
|
+
else
|
103
|
+
content_tag(tag_name, "", options)
|
104
|
+
end
|
105
|
+
end
|
106
|
+
end
|
107
|
+
end
|
108
|
+
end
|
@@ -0,0 +1,90 @@
|
|
1
|
+
module ActionView
|
2
|
+
module Helpers
|
3
|
+
# = Action View Rendering
|
4
|
+
#
|
5
|
+
# Implements methods that allow rendering from a view context.
|
6
|
+
# In order to use this module, all you need is to implement
|
7
|
+
# view_renderer that returns an ActionView::Renderer object.
|
8
|
+
module RenderingHelper
|
9
|
+
# Returns the result of a render that's dictated by the options hash. The primary options are:
|
10
|
+
#
|
11
|
+
# * <tt>:partial</tt> - See <tt>ActionView::PartialRenderer</tt>.
|
12
|
+
# * <tt>:file</tt> - Renders an explicit template file (this used to be the old default), add :locals to pass in those.
|
13
|
+
# * <tt>:inline</tt> - Renders an inline template similar to how it's done in the controller.
|
14
|
+
# * <tt>:text</tt> - Renders the text passed in out.
|
15
|
+
#
|
16
|
+
# If no options hash is passed or :update specified, the default is to render a partial and use the second parameter
|
17
|
+
# as the locals hash.
|
18
|
+
def render(options = {}, locals = {}, &block)
|
19
|
+
case options
|
20
|
+
when Hash
|
21
|
+
if block_given?
|
22
|
+
view_renderer.render_partial(self, options.merge(:partial => options[:layout]), &block)
|
23
|
+
else
|
24
|
+
view_renderer.render(self, options)
|
25
|
+
end
|
26
|
+
else
|
27
|
+
view_renderer.render_partial(self, :partial => options, :locals => locals)
|
28
|
+
end
|
29
|
+
end
|
30
|
+
|
31
|
+
# Overwrites _layout_for in the context object so it supports the case a block is
|
32
|
+
# passed to a partial. Returns the contents that are yielded to a layout, given a
|
33
|
+
# name or a block.
|
34
|
+
#
|
35
|
+
# You can think of a layout as a method that is called with a block. If the user calls
|
36
|
+
# <tt>yield :some_name</tt>, the block, by default, returns <tt>content_for(:some_name)</tt>.
|
37
|
+
# If the user calls simply +yield+, the default block returns <tt>content_for(:layout)</tt>.
|
38
|
+
#
|
39
|
+
# The user can override this default by passing a block to the layout:
|
40
|
+
#
|
41
|
+
# # The template
|
42
|
+
# <%= render layout: "my_layout" do %>
|
43
|
+
# Content
|
44
|
+
# <% end %>
|
45
|
+
#
|
46
|
+
# # The layout
|
47
|
+
# <html>
|
48
|
+
# <%= yield %>
|
49
|
+
# </html>
|
50
|
+
#
|
51
|
+
# In this case, instead of the default block, which would return <tt>content_for(:layout)</tt>,
|
52
|
+
# this method returns the block that was passed in to <tt>render :layout</tt>, and the response
|
53
|
+
# would be
|
54
|
+
#
|
55
|
+
# <html>
|
56
|
+
# Content
|
57
|
+
# </html>
|
58
|
+
#
|
59
|
+
# Finally, the block can take block arguments, which can be passed in by +yield+:
|
60
|
+
#
|
61
|
+
# # The template
|
62
|
+
# <%= render layout: "my_layout" do |customer| %>
|
63
|
+
# Hello <%= customer.name %>
|
64
|
+
# <% end %>
|
65
|
+
#
|
66
|
+
# # The layout
|
67
|
+
# <html>
|
68
|
+
# <%= yield Struct.new(:name).new("David") %>
|
69
|
+
# </html>
|
70
|
+
#
|
71
|
+
# In this case, the layout would receive the block passed into <tt>render :layout</tt>,
|
72
|
+
# and the struct specified would be passed into the block as an argument. The result
|
73
|
+
# would be
|
74
|
+
#
|
75
|
+
# <html>
|
76
|
+
# Hello David
|
77
|
+
# </html>
|
78
|
+
#
|
79
|
+
def _layout_for(*args, &block)
|
80
|
+
name = args.first
|
81
|
+
|
82
|
+
if block && !name.is_a?(Symbol)
|
83
|
+
capture(*args, &block)
|
84
|
+
else
|
85
|
+
super
|
86
|
+
end
|
87
|
+
end
|
88
|
+
end
|
89
|
+
end
|
90
|
+
end
|
@@ -0,0 +1,256 @@
|
|
1
|
+
require 'active_support/core_ext/object/try'
|
2
|
+
require 'action_view/vendor/html-scanner'
|
3
|
+
|
4
|
+
module ActionView
|
5
|
+
# = Action View Sanitize Helpers
|
6
|
+
module Helpers
|
7
|
+
# The SanitizeHelper module provides a set of methods for scrubbing text of undesired HTML elements.
|
8
|
+
# These helper methods extend Action View making them callable within your template files.
|
9
|
+
module SanitizeHelper
|
10
|
+
extend ActiveSupport::Concern
|
11
|
+
# This +sanitize+ helper will html encode all tags and strip all attributes that
|
12
|
+
# aren't specifically allowed.
|
13
|
+
#
|
14
|
+
# It also strips href/src tags with invalid protocols, like javascript: especially.
|
15
|
+
# It does its best to counter any tricks that hackers may use, like throwing in
|
16
|
+
# unicode/ascii/hex values to get past the javascript: filters. Check out
|
17
|
+
# the extensive test suite.
|
18
|
+
#
|
19
|
+
# <%= sanitize @article.body %>
|
20
|
+
#
|
21
|
+
# You can add or remove tags/attributes if you want to customize it a bit.
|
22
|
+
# See ActionView::Base for full docs on the available options. You can add
|
23
|
+
# tags/attributes for single uses of +sanitize+ by passing either the
|
24
|
+
# <tt>:attributes</tt> or <tt>:tags</tt> options:
|
25
|
+
#
|
26
|
+
# Normal Use
|
27
|
+
#
|
28
|
+
# <%= sanitize @article.body %>
|
29
|
+
#
|
30
|
+
# Custom Use (only the mentioned tags and attributes are allowed, nothing else)
|
31
|
+
#
|
32
|
+
# <%= sanitize @article.body, tags: %w(table tr td), attributes: %w(id class style) %>
|
33
|
+
#
|
34
|
+
# Add table tags to the default allowed tags
|
35
|
+
#
|
36
|
+
# class Application < Rails::Application
|
37
|
+
# config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
|
38
|
+
# end
|
39
|
+
#
|
40
|
+
# Remove tags to the default allowed tags
|
41
|
+
#
|
42
|
+
# class Application < Rails::Application
|
43
|
+
# config.after_initialize do
|
44
|
+
# ActionView::Base.sanitized_allowed_tags.delete 'div'
|
45
|
+
# end
|
46
|
+
# end
|
47
|
+
#
|
48
|
+
# Change allowed default attributes
|
49
|
+
#
|
50
|
+
# class Application < Rails::Application
|
51
|
+
# config.action_view.sanitized_allowed_attributes = 'id', 'class', 'style'
|
52
|
+
# end
|
53
|
+
#
|
54
|
+
# Please note that sanitizing user-provided text does not guarantee that the
|
55
|
+
# resulting markup is valid (conforming to a document type) or even well-formed.
|
56
|
+
# The output may still contain e.g. unescaped '<', '>', '&' characters and
|
57
|
+
# confuse browsers.
|
58
|
+
#
|
59
|
+
def sanitize(html, options = {})
|
60
|
+
self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
|
61
|
+
end
|
62
|
+
|
63
|
+
# Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
|
64
|
+
def sanitize_css(style)
|
65
|
+
self.class.white_list_sanitizer.sanitize_css(style)
|
66
|
+
end
|
67
|
+
|
68
|
+
# Strips all HTML tags from the +html+, including comments. This uses the
|
69
|
+
# html-scanner tokenizer and so its HTML parsing ability is limited by
|
70
|
+
# that of html-scanner.
|
71
|
+
#
|
72
|
+
# strip_tags("Strip <i>these</i> tags!")
|
73
|
+
# # => Strip these tags!
|
74
|
+
#
|
75
|
+
# strip_tags("<b>Bold</b> no more! <a href='more.html'>See more here</a>...")
|
76
|
+
# # => Bold no more! See more here...
|
77
|
+
#
|
78
|
+
# strip_tags("<div id='top-bar'>Welcome to my website!</div>")
|
79
|
+
# # => Welcome to my website!
|
80
|
+
def strip_tags(html)
|
81
|
+
self.class.full_sanitizer.sanitize(html)
|
82
|
+
end
|
83
|
+
|
84
|
+
# Strips all link tags from +text+ leaving just the link text.
|
85
|
+
#
|
86
|
+
# strip_links('<a href="http://www.rubyonrails.org">Ruby on Rails</a>')
|
87
|
+
# # => Ruby on Rails
|
88
|
+
#
|
89
|
+
# strip_links('Please e-mail me at <a href="mailto:me@email.com">me@email.com</a>.')
|
90
|
+
# # => Please e-mail me at me@email.com.
|
91
|
+
#
|
92
|
+
# strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.')
|
93
|
+
# # => Blog: Visit.
|
94
|
+
def strip_links(html)
|
95
|
+
self.class.link_sanitizer.sanitize(html)
|
96
|
+
end
|
97
|
+
|
98
|
+
module ClassMethods #:nodoc:
|
99
|
+
attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
|
100
|
+
|
101
|
+
def sanitized_protocol_separator
|
102
|
+
white_list_sanitizer.protocol_separator
|
103
|
+
end
|
104
|
+
|
105
|
+
def sanitized_uri_attributes
|
106
|
+
white_list_sanitizer.uri_attributes
|
107
|
+
end
|
108
|
+
|
109
|
+
def sanitized_bad_tags
|
110
|
+
white_list_sanitizer.bad_tags
|
111
|
+
end
|
112
|
+
|
113
|
+
def sanitized_allowed_tags
|
114
|
+
white_list_sanitizer.allowed_tags
|
115
|
+
end
|
116
|
+
|
117
|
+
def sanitized_allowed_attributes
|
118
|
+
white_list_sanitizer.allowed_attributes
|
119
|
+
end
|
120
|
+
|
121
|
+
def sanitized_allowed_css_properties
|
122
|
+
white_list_sanitizer.allowed_css_properties
|
123
|
+
end
|
124
|
+
|
125
|
+
def sanitized_allowed_css_keywords
|
126
|
+
white_list_sanitizer.allowed_css_keywords
|
127
|
+
end
|
128
|
+
|
129
|
+
def sanitized_shorthand_css_properties
|
130
|
+
white_list_sanitizer.shorthand_css_properties
|
131
|
+
end
|
132
|
+
|
133
|
+
def sanitized_allowed_protocols
|
134
|
+
white_list_sanitizer.allowed_protocols
|
135
|
+
end
|
136
|
+
|
137
|
+
def sanitized_protocol_separator=(value)
|
138
|
+
white_list_sanitizer.protocol_separator = value
|
139
|
+
end
|
140
|
+
|
141
|
+
# Gets the HTML::FullSanitizer instance used by +strip_tags+. Replace with
|
142
|
+
# any object that responds to +sanitize+.
|
143
|
+
#
|
144
|
+
# class Application < Rails::Application
|
145
|
+
# config.action_view.full_sanitizer = MySpecialSanitizer.new
|
146
|
+
# end
|
147
|
+
#
|
148
|
+
def full_sanitizer
|
149
|
+
@full_sanitizer ||= HTML::FullSanitizer.new
|
150
|
+
end
|
151
|
+
|
152
|
+
# Gets the HTML::LinkSanitizer instance used by +strip_links+. Replace with
|
153
|
+
# any object that responds to +sanitize+.
|
154
|
+
#
|
155
|
+
# class Application < Rails::Application
|
156
|
+
# config.action_view.link_sanitizer = MySpecialSanitizer.new
|
157
|
+
# end
|
158
|
+
#
|
159
|
+
def link_sanitizer
|
160
|
+
@link_sanitizer ||= HTML::LinkSanitizer.new
|
161
|
+
end
|
162
|
+
|
163
|
+
# Gets the HTML::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
|
164
|
+
# Replace with any object that responds to +sanitize+.
|
165
|
+
#
|
166
|
+
# class Application < Rails::Application
|
167
|
+
# config.action_view.white_list_sanitizer = MySpecialSanitizer.new
|
168
|
+
# end
|
169
|
+
#
|
170
|
+
def white_list_sanitizer
|
171
|
+
@white_list_sanitizer ||= HTML::WhiteListSanitizer.new
|
172
|
+
end
|
173
|
+
|
174
|
+
# Adds valid HTML attributes that the +sanitize+ helper checks for URIs.
|
175
|
+
#
|
176
|
+
# class Application < Rails::Application
|
177
|
+
# config.action_view.sanitized_uri_attributes = 'lowsrc', 'target'
|
178
|
+
# end
|
179
|
+
#
|
180
|
+
def sanitized_uri_attributes=(attributes)
|
181
|
+
HTML::WhiteListSanitizer.uri_attributes.merge(attributes)
|
182
|
+
end
|
183
|
+
|
184
|
+
# Adds to the Set of 'bad' tags for the +sanitize+ helper.
|
185
|
+
#
|
186
|
+
# class Application < Rails::Application
|
187
|
+
# config.action_view.sanitized_bad_tags = 'embed', 'object'
|
188
|
+
# end
|
189
|
+
#
|
190
|
+
def sanitized_bad_tags=(attributes)
|
191
|
+
HTML::WhiteListSanitizer.bad_tags.merge(attributes)
|
192
|
+
end
|
193
|
+
|
194
|
+
# Adds to the Set of allowed tags for the +sanitize+ helper.
|
195
|
+
#
|
196
|
+
# class Application < Rails::Application
|
197
|
+
# config.action_view.sanitized_allowed_tags = 'table', 'tr', 'td'
|
198
|
+
# end
|
199
|
+
#
|
200
|
+
def sanitized_allowed_tags=(attributes)
|
201
|
+
HTML::WhiteListSanitizer.allowed_tags.merge(attributes)
|
202
|
+
end
|
203
|
+
|
204
|
+
# Adds to the Set of allowed HTML attributes for the +sanitize+ helper.
|
205
|
+
#
|
206
|
+
# class Application < Rails::Application
|
207
|
+
# config.action_view.sanitized_allowed_attributes = 'onclick', 'longdesc'
|
208
|
+
# end
|
209
|
+
#
|
210
|
+
def sanitized_allowed_attributes=(attributes)
|
211
|
+
HTML::WhiteListSanitizer.allowed_attributes.merge(attributes)
|
212
|
+
end
|
213
|
+
|
214
|
+
# Adds to the Set of allowed CSS properties for the #sanitize and +sanitize_css+ helpers.
|
215
|
+
#
|
216
|
+
# class Application < Rails::Application
|
217
|
+
# config.action_view.sanitized_allowed_css_properties = 'expression'
|
218
|
+
# end
|
219
|
+
#
|
220
|
+
def sanitized_allowed_css_properties=(attributes)
|
221
|
+
HTML::WhiteListSanitizer.allowed_css_properties.merge(attributes)
|
222
|
+
end
|
223
|
+
|
224
|
+
# Adds to the Set of allowed CSS keywords for the +sanitize+ and +sanitize_css+ helpers.
|
225
|
+
#
|
226
|
+
# class Application < Rails::Application
|
227
|
+
# config.action_view.sanitized_allowed_css_keywords = 'expression'
|
228
|
+
# end
|
229
|
+
#
|
230
|
+
def sanitized_allowed_css_keywords=(attributes)
|
231
|
+
HTML::WhiteListSanitizer.allowed_css_keywords.merge(attributes)
|
232
|
+
end
|
233
|
+
|
234
|
+
# Adds to the Set of allowed shorthand CSS properties for the +sanitize+ and +sanitize_css+ helpers.
|
235
|
+
#
|
236
|
+
# class Application < Rails::Application
|
237
|
+
# config.action_view.sanitized_shorthand_css_properties = 'expression'
|
238
|
+
# end
|
239
|
+
#
|
240
|
+
def sanitized_shorthand_css_properties=(attributes)
|
241
|
+
HTML::WhiteListSanitizer.shorthand_css_properties.merge(attributes)
|
242
|
+
end
|
243
|
+
|
244
|
+
# Adds to the Set of allowed protocols for the +sanitize+ helper.
|
245
|
+
#
|
246
|
+
# class Application < Rails::Application
|
247
|
+
# config.action_view.sanitized_allowed_protocols = 'ssh', 'feed'
|
248
|
+
# end
|
249
|
+
#
|
250
|
+
def sanitized_allowed_protocols=(attributes)
|
251
|
+
HTML::WhiteListSanitizer.allowed_protocols.merge(attributes)
|
252
|
+
end
|
253
|
+
end
|
254
|
+
end
|
255
|
+
end
|
256
|
+
end
|