123456789_123456789_123456789_123456789_123456789_

Class: Rack::Protection::EscapedParams

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
self, Rack::Utils, Base
Instance Chain:
self, Base
Inherits: Rack::Protection::Base
Defined in: rack-protection/lib/rack/protection/escaped_params.rb

Overview

Prevented attack

XSS

Supported browsers

all

More infos

http://en.wikipedia.org/wiki/Cross-site_scripting

Automatically escapes Rack::Request#params so they can be embedded in HTML or JavaScript without any further issues.

Options

[:escape] What escaping modes to use. Should be Symbol or Array of Symbols of one of the following: :html:: escape HTML :url:: escape URLs :javascript:: escape JavaScript (requires the escape_utils gem or a custom :escaper).

Default is <tt>:html</tt>.

[:escaper] Object to use for escaping. It must respond to the following methods:

<tt>#escape_url</tt>:: if <tt>:escape</tt> is or contains <tt>:url</tt>
<tt>#escape_html</tt>:: if <tt>:escape</tt> is or contains <tt>:html</tt>
<tt>#escape_javascript</tt>:: if <tt>:escape</tt> is or contains <tt>:javascript</tt>

By default, this class is used for escaping, however this class
does not implement <tt>#escape_javascript</tt>.  If <tt>:escape</tt> is
or includes <tt>:javascript</tt>, an exception will be raised.

To avoid this, include the {<tt>escape_utils</tt>}[https://rubygems.org/gems/escape_utils]
gem in your app, *or* provide your own <tt>:escaper</tt> object.

[Rack::Protection::Base options] any option supported by Rack::Protection::Base.

Example: Default usage

use Rack::Protection::EscapedParams

Example: Escape URLs and HTML

use Rack::Protection::EscapedParams, escape: [:html, :url]

Example: Escape everything using custom escaper

module MyEscaper
 def self.escape_url(str)
   # your custom code here
 end
 def self.escape_html(str)
   # your custom code here
 end
 def self.escape_javascrtip(str)
   # your custom code here
 end
end

use Rack::Protection::EscapedParams, escape: [:html, :url, :javascript],
                                    escaper: MyEscaper

Constant Summary

Base - Inherited

DEFAULT_OPTIONS

Class Method Summary

Base - Inherited

.default_options

Used by subclasses to declare default values for options they require.

.default_reaction

Used by subclasses to declare default reaction when a request is rejected.

.new

Instance Attribute Summary

Base - Inherited

Instance Method Summary

Base - Inherited

#accepts?, #call, #debug, #default_options,
#default_reaction

Alias for Base#deny.

#deny

Deny the request.

#drop_session, #encrypt, #html?, #instrument, #origin, #random_string, #react, #referrer,
#report

When used as a reaction (with option reaction: :report), any rejected request will be allowed through, and a warning is omitted (note that warnings will not be shown if the :logging option has been set to false).

#safe?, #secure_compare, #session, #session?, #warn

Constructor Details

.newEscapedParams

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/escaped_params.rb', line 81

def initialize(*)
  super

  modes       = Array options[:escape]
  @escaper    = options[:escaper]
  @html       = modes.include? :html
  @javascript = modes.include? :javascript
  @url        = modes.include? :url

  return unless @javascript && (!@escaper.respond_to? :escape_javascript)

  raise('Use EscapeUtils for JavaScript escaping.')
end

Class Method Details

.escape_url

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/escaped_params.rb', line 74

alias escape_url escape

Instance Method Details

#call(env)

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/escaped_params.rb', line 95

def call(env)
  request  = Request.new(env)
  get_was  = handle(request.GET)
  post_was = begin
    handle(request.POST)
  rescue StandardError
    nil
  end
  app.call env
ensure
  request.GET.replace  get_was  if get_was
  request.POST.replace post_was if post_was
end

#escape(object)

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/escaped_params.rb', line 115

def escape(object)
  case object
  when Hash   then escape_hash(object)
  when Array  then object.map { |o| escape(o) }
  when String then escape_string(object)
  when Tempfile then object
  end
end

#escape_hash(hash)

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/escaped_params.rb', line 124

def escape_hash(hash)
  hash = hash.dup
  hash.each { |k, v| hash[k] = escape(v) }
  hash
end

#escape_string(str)

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/escaped_params.rb', line 130

def escape_string(str)
  str = @escaper.escape_url(str)        if @url
  str = @escaper.escape_html(str)       if @html
  str = @escaper.escape_javascript(str) if @javascript
  str
end

#handle(hash)

[ GitHub ]

  
# File 'rack-protection/lib/rack/protection/escaped_params.rb', line 109

def handle(hash)
  was = hash.dup
  hash.replace escape(hash)
  was
end