method

process_attributes_for

Importance_1
Ruby on Rails latest stable (v7.1.3.2) - 1 note - Class: HTML::WhiteListSanitizer

Method deprecated or moved

This method is deprecated or moved on the latest stable version. The last existing version (v4.1.8) is shown here.

process_attributes_for(node, options) protected

No documentation

This method has no description. You can help the Ruby on Rails community by adding new notes.

Show source
Register or log in to add new notes.
July 28, 2008 - (<= v2.1.0)
0 thanks

Bug that causes escape buildup

There is a bug in this meethod that causes an escape build up when you have links or image urls for example with ampersands in them. Over time, it goes something like this:

& -> &amp; -> &amp;amp; -> &amp;amp;amp; -> &amp;amp;amp;amp; -> etc

This breaks the url so links and images are not clickable/viewable. To fix, simply unescape before you reescape. Works like a charm. We have the following in an initializer, “html_sanitizer_patch.rb”, that fixes this behaviour.

module HTML
  class WhiteListSanitizer < Sanitizer
    protected
    def process_attributes_for(node, options)
      return unless node.attributes
      node.attributes.keys.each do |attr_name|
      value = node.attributes[attr_name].to_s
      if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
        node.attributes.delete(attr_name)
        else
          node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
        end
      end
    end
  end
end