class Rack::Protection::EscapedParams
- Prevented attack
-
XSS
- Supported browsers
-
all
- More infos
Automatically escapes Rack::Request#params so they can be embedded in HTML or JavaScript without any further issues.
Options:
- escape
-
What escaping modes to use, should be Symbol or Array of Symbols. Available: :html (default), :javascript, :url
Public Class Methods
new(*)
click to toggle source
Calls superclass method
Rack::Protection::Base::new
# File lib/rack/protection/escaped_params.rb, line 36 def initialize(*) super modes = Array options[:escape] @escaper = options[:escaper] @html = modes.include? :html @javascript = modes.include? :javascript @url = modes.include? :url return unless @javascript && (!@escaper.respond_to? :escape_javascript) raise('Use EscapeUtils for JavaScript escaping.') end
Public Instance Methods
call(env)
click to toggle source
# File lib/rack/protection/escaped_params.rb, line 50 def call(env) request = Request.new(env) get_was = handle(request.GET) post_was = begin handle(request.POST) rescue StandardError nil end app.call env ensure request.GET.replace get_was if get_was request.POST.replace post_was if post_was end
escape(object)
click to toggle source
# File lib/rack/protection/escaped_params.rb, line 70 def escape(object) case object when Hash then escape_hash(object) when Array then object.map { |o| escape(o) } when String then escape_string(object) when Tempfile then object end end
escape_hash(hash)
click to toggle source
# File lib/rack/protection/escaped_params.rb, line 79 def escape_hash(hash) hash = hash.dup hash.each { |k, v| hash[k] = escape(v) } hash end
escape_string(str)
click to toggle source
# File lib/rack/protection/escaped_params.rb, line 85 def escape_string(str) str = @escaper.escape_url(str) if @url str = @escaper.escape_html(str) if @html str = @escaper.escape_javascript(str) if @javascript str end
handle(hash)
click to toggle source
# File lib/rack/protection/escaped_params.rb, line 64 def handle(hash) was = hash.dup hash.replace escape(hash) was end