method

process_attributes_for

Importance_1
v4.1.8 - Show latest stable - 1 note - Class: HTML::WhiteListSanitizer
process_attributes_for(node, options) protected

No documentation

This method has no description. You can help the Ruby on Rails community by adding new notes.

Show source
Register or log in to add new notes.
July 28, 2008 - (<= v2.1.0)
0 thanks

Bug that causes escape buildup

There is a bug in this meethod that causes an escape build up when you have links or image urls for example with ampersands in them. Over time, it goes something like this:

& -> &amp; -> &amp;amp; -> &amp;amp;amp; -> &amp;amp;amp;amp; -> etc

This breaks the url so links and images are not clickable/viewable. To fix, simply unescape before you reescape. Works like a charm. We have the following in an initializer, “html_sanitizer_patch.rb”, that fixes this behaviour.

module HTML
  class WhiteListSanitizer < Sanitizer
    protected
    def process_attributes_for(node, options)
      return unless node.attributes
      node.attributes.keys.each do |attr_name|
      value = node.attributes[attr_name].to_s
      if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
        node.attributes.delete(attr_name)
        else
          node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
        end
      end
    end
  end
end