Class: Rack::Protection::EscapedParams
| Relationships & Source Files | |
| Super Chains via Extension / Inclusion / Inheritance | |
|
Class Chain:
self,
Rack::Utils,
Base
|
|
|
Instance Chain:
self,
Base
|
|
| Inherits: |
Rack::Protection::Base
|
| Defined in: | rack-protection/lib/rack/protection/escaped_params.rb |
Overview
- Prevented attack
XSS
- Supported browsers
all
- More infos
Automatically escapes Rack::Request#params so they can be embedded in HTML or JavaScript without any further issues.
Options
[:escape] What escaping modes to use. Should be Symbol or Array of Symbols of one of the following: :html:: escape HTML :url:: escape URLs :javascript:: escape JavaScript (requires the escape_utils gem or a custom :escaper).
Default is <tt>:html</tt>.
[:escaper] Object to use for escaping. It must respond to the following methods:
<tt>#escape_url</tt>:: if <tt>:escape</tt> is or contains <tt>:url</tt>
<tt>#escape_html</tt>:: if <tt>:escape</tt> is or contains <tt>:html</tt>
<tt>#escape_javascript</tt>:: if <tt>:escape</tt> is or contains <tt>:javascript</tt>
By default, this class is used for escaping, however this class
does not implement <tt>#escape_javascript</tt>. If <tt>:escape</tt> is
or includes <tt>:javascript</tt>, an exception will be raised.
To avoid this, include the {<tt>escape_utils</tt>}[https://rubygems.org/gems/escape_utils]
gem in your app, *or* provide your own <tt>:escaper</tt> object.
[Rack::Protection::Base options] any option supported by Rack::Protection::Base.
Example: Default usage
use Rack::Protection::EscapedParams
Example: Escape URLs and HTML
use Rack::Protection::EscapedParams, escape: [:html, :url]
Example: Escape everything using custom escaper
module MyEscaper
def self.escape_url(str)
# your custom code here
end
def self.escape_html(str)
# your custom code here
end
def self.escape_javascrtip(str)
# your custom code here
end
end
use Rack::Protection::EscapedParams, escape: [:html, :url, :javascript],
escaper: MyEscaper
Constant Summary
Base - Inherited
Class Method Summary
- .escape_url
- .new ⇒ EscapedParams constructor
Base - Inherited
| .default_options | Used by subclasses to declare default values for options they require. |
| .default_reaction | Used by subclasses to declare default reaction when a request is rejected. |
| .new | |
Instance Attribute Summary
Instance Method Summary
Base - Inherited
| #accepts?, #call, #debug, #default_options, | |
| #default_reaction | Alias for Base#deny. |
| #deny | Deny the request. |
| #drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer, | |
| #report | When used as a reaction (with option reaction: :report), any rejected request will be allowed through, and a warning is omitted (note that warnings will not be shown if the :logging option has been set to false). |
| #safe?, #secure_compare, #session, #session?, #warn | |
Constructor Details
.new ⇒ EscapedParams
# File 'rack-protection/lib/rack/protection/escaped_params.rb', line 81
def initialize(*) super modes = Array [:escape] @escaper = [:escaper] @html = modes.include? :html @javascript = modes.include? :javascript @url = modes.include? :url return unless @javascript && (!@escaper.respond_to? :escape_javascript) raise('Use EscapeUtils for JavaScript escaping.') end
Class Method Details
.escape_url
[ GitHub ]# File 'rack-protection/lib/rack/protection/escaped_params.rb', line 74
alias escape_url escape
Instance Method Details
#call(env)
[ GitHub ]# File 'rack-protection/lib/rack/protection/escaped_params.rb', line 95
def call(env) request = Request.new(env) get_was = handle(request.GET) post_was = begin handle(request.POST) rescue StandardError nil end app.call env ensure request.GET.replace get_was if get_was request.POST.replace post_was if post_was end
#escape(object)
[ GitHub ]# File 'rack-protection/lib/rack/protection/escaped_params.rb', line 115
def escape(object) case object when Hash then escape_hash(object) when Array then object.map { |o| escape(o) } when String then escape_string(object) when Tempfile then object end end
#escape_hash(hash)
[ GitHub ]# File 'rack-protection/lib/rack/protection/escaped_params.rb', line 124
def escape_hash(hash) hash = hash.dup hash.each { |k, v| hash[k] = escape(v) } hash end
#escape_string(str)
[ GitHub ]# File 'rack-protection/lib/rack/protection/escaped_params.rb', line 130
def escape_string(str) str = @escaper.escape_url(str) if @url str = @escaper.escape_html(str) if @html str = @escaper.escape_javascript(str) if @javascript str end
#handle(hash)
[ GitHub ]# File 'rack-protection/lib/rack/protection/escaped_params.rb', line 109
def handle(hash) was = hash.dup hash.replace escape(hash) was end