method

process_attributes_for

v2.1.0 - Show latest stable - Class: HTML::WhiteListSanitizer

process_attributes_for(node, options)

protected

No documentation available.

# File actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 155
    def process_attributes_for(node, options)
      return unless node.attributes
      node.attributes.keys.each do |attr_name|
        value = node.attributes[attr_name].to_s

        if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
          node.attributes.delete(attr_name)
        else
          node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(value)
        end
      end
    end

1Note

Bug that causes escape buildup

kieran · Jul 28, 2008

There is a bug in this meethod that causes an escape build up when you have links or image urls for example with ampersands in them. Over time, it goes something like this:

& -> & -> & -> &amp; -> &amp;amp; -> etc

This breaks the url so links and images are not clickable/viewable. To fix, simply unescape before you reescape. Works like a charm. We have the following in an initializer, "html_sanitizer_patch.rb", that fixes this behaviour.

module HTML
class WhiteListSanitizer < Sanitizer
  protected
  def process_attributes_for(node, options)
    return unless node.attributes
    node.attributes.keys.each do |attr_name|
    value = node.attributes[attr_name].to_s
    if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value)
      node.attributes.delete(attr_name)
      else
        node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value))
      end
    end
  end
end
end

process_attributes_for

1Note

Bug that causes escape buildup

Related methods