lib/glue/sanitize.rb in glue-0.20.0 vs lib/glue/sanitize.rb in glue-0.21.0
- old
+ new
@@ -6,43 +6,43 @@
VERBOTEN_TAGS = %w(form script) unless defined?(VERBOTEN_TAGS)
VERBOTEN_ATTRS = /^on/i unless defined?(VERBOTEN_ATTRS)
class String
- # Sanitizes the given HTML by making form and script tags into regular
- # text, and removing all "onxxx" attributes (so that arbitrary Javascript
- # cannot be executed). Also removes href attributes that start with
- # "javascript:".
- #
- # Returns the sanitized text.
- def self.sanitize(html)
- # only do this if absolutely necessary
- if html.index("<")
- tokenizer = HTML::Tokenizer.new(html)
- new_text = ""
+ # Sanitizes the given HTML by making form and script tags into regular
+ # text, and removing all "onxxx" attributes (so that arbitrary Javascript
+ # cannot be executed). Also removes href attributes that start with
+ # "javascript:".
+ #
+ # Returns the sanitized text.
+ def self.sanitize(html)
+ # only do this if absolutely necessary
+ if html.index("<")
+ tokenizer = HTML::Tokenizer.new(html)
+ new_text = ""
- while token = tokenizer.next
- node = HTML::Node.parse(nil, 0, 0, token, false)
- new_text << case node
- when HTML::Tag
- if VERBOTEN_TAGS.include?(node.name)
- node.to_s.gsub(/</, "<")
- else
- if node.closing != :close
- node.attributes.delete_if { |attr,v| attr =~ VERBOTEN_ATTRS }
- if node.attributes["href"] =~ /^javascript:/i
- node.attributes.delete "href"
- end
- end
- node.to_s
- end
- else
- node.to_s.gsub(/</, "<")
- end
- end
+ while token = tokenizer.next
+ node = HTML::Node.parse(nil, 0, 0, token, false)
+ new_text << case node
+ when HTML::Tag
+ if VERBOTEN_TAGS.include?(node.name)
+ node.to_s.gsub(/</, "<")
+ else
+ if node.closing != :close
+ node.attributes.delete_if { |attr,v| attr =~ VERBOTEN_ATTRS }
+ if node.attributes["href"] =~ /^javascript:/i
+ node.attributes.delete "href"
+ end
+ end
+ node.to_s
+ end
+ else
+ node.to_s.gsub(/</, "<")
+ end
+ end
- html = new_text
- end
+ html = new_text
+ end
- html
- end
+ html
+ end
end