sanitize_params.rb
981 Bytes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
module SanitizeParams
protected
# Check each request parameter for
# improper HTML or Script tags
def sanitize_params
sanitize_params_hash(params)
end
# Given a params list sanitize all
def sanitize_params_hash(params)
params.each { |k, v|
if v.is_a?(String)
params[k] = sanitize_param v
elsif v.is_a?(Array)
params[k] = sanitize_array v
elsif v.kind_of?(Hash)
params[k] = sanitize_params_hash(v)
end
}
end
# If the parameter was an array,
# try to sanitize each element in the array
def sanitize_array(array)
array.map! { |e|
if e.is_a?(String)
sanitize_param e
end
}
return array
end
# Santitize a single value
def sanitize_param(value)
allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
end
end