Class: ActiveCanvas::ContentSanitizer::PermissiveAttributeScrubber

Inherits:
Rails::HTML::PermitScrubber
  • Object
show all
Defined in:
app/services/active_canvas/content_sanitizer.rb

Overview

Custom scrubber that allows data-* and aria-* attributes

Instance Method Summary collapse

Constructor Details

#initialize(allowed_tags:, allowed_attributes:) ⇒ PermissiveAttributeScrubber

Returns a new instance of PermissiveAttributeScrubber.



62
63
64
65
66
 
# File 'app/services/active_canvas/content_sanitizer.rb', line 62

def initialize(allowed_tags:, allowed_attributes:)
  super()
  self.tags = allowed_tags
  @allowed_attributes = allowed_attributes
end

Instance Method Details

#allowed_node?(node) ⇒ Boolean

Returns:

  • (Boolean) 


68
69
70
71
 
# File 'app/services/active_canvas/content_sanitizer.rb', line 68

def allowed_node?(node)
  return false unless super
  true
end

#scrub_attribute(node, attr_node) ⇒ Object 



73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
# File 'app/services/active_canvas/content_sanitizer.rb', line 73

def scrub_attribute(node, attr_node)
  attr_name = attr_node.name.downcase

  # Allow explicitly listed attributes
  return if @allowed_attributes.include?(attr_name)

  # Allow data-* attributes
  return if attr_name.start_with?("data-")

  # Allow aria-* attributes
  return if attr_name.start_with?("aria-")

  # Check for dangerous attribute values (javascript: URLs, event handlers)
  if dangerous_attribute?(attr_name, attr_node.value)
    attr_node.remove
    return
  end

  # Remove unlisted attributes
  attr_node.remove
end