class Sqreen::Rules::Haml4CompilerBuildAttributeCB
Hook build attributes
Public Class Methods
clean_hash_key(hash, limit = 10, seen = []) { |k| ... }
click to toggle source
# File lib/sqreen/rules/xss_cb.rb, line 216 def self.clean_hash_key(hash, limit = 10, seen = [], &block) seen << hash.object_id has_xss = false new_h = {} return if limit <= 0 hash.each do |k, v| if seen.include?(v.object_id) new_h[k] = nil next end seen << v.object_id new_key, found_xss = yield k has_xss |= found_xss if v.is_a?(Hash) new_h[new_key], found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(v, limit - 1, seen, &block) has_xss |= found_xss else new_h[new_key] = v end end [new_h, has_xss] end
new(*args)
click to toggle source
Calls superclass method
Sqreen::Rules::XSSCB::new
# File lib/sqreen/rules/xss_cb.rb, line 191 def initialize(*args) super(*args) @overtimeable = false end
Public Instance Methods
pre(inst, args, _budget = nil, &_block)
click to toggle source
# File lib/sqreen/rules/xss_cb.rb, line 196 def pre(inst, args, _budget = nil, &_block) return unless Haml::VERSION < '5' attrs = args[-1] params = xss_params new_attrs, found_xss = Haml4CompilerBuildAttributeCB.clean_hash_key(attrs) do |key| if !key.nil? && key.is_a?(String) && params.any? { |p| p == key } && report_dangerous_xss?(key) Sqreen.log.debug { format('Found unescaped user param: %s', key) } [CGI.escape_html(key), true] else [key, false] end end return if !found_xss || !block # potential XSS! let's escape args[-1] = new_attrs r = inst.send(method, *args) { :status => :skip, :new_return_value => r } end