class Rack::Protection::EscapedParams

Available: :html (default), :javascript, :url escape

What escaping modes to use, should be Symbol or Array of Symbols. Options: strings if defined, to avoid double-escaping in Rails. or JavaScript without any further issues. Calls html_safe on the escaped Automatically escapes Rack::Request#params so they can be embedded in HTML More infos

en.wikipedia.org/wiki/Cross-site_scripting<br>Supported browsers

all Prevented attack: XSS
#

def call(env)

def call(env)
  request  = Request.new(env)
  get_was  = handle(request.GET)
  post_was = handle(request.POST) rescue nil
  app.call env
ensure
  request.GET.replace  get_was  if get_was
  request.POST.replace post_was if post_was
end

def escape(object)

def escape(object)
  case object
  when Hash   then escape_hash(object)
  when Array  then object.map { |o| escape(o) }
  when String then escape_string(object)
  else nil
  end
end

def escape_hash(hash)

def escape_hash(hash)
  hash = hash.dup
  hash.each { |k,v| hash[k] = escape(v) }
  hash
end

def escape_string(str)

def escape_string(str)
  str = @escaper.escape_url(str)        if @url
  str = @escaper.escape_html(str)       if @html
  str = @escaper.escape_javascript(str) if @javascript
  str
end

def handle(hash)

def handle(hash)
  was = hash.dup
  hash.replace escape(hash)
  was
end

def initialize(*)

def initialize(*)
  super
  modes       = Array options[:escape]
  @escaper    = options[:escaper]
  @html       = modes.include? :html
  @javascript = modes.include? :javascript
  @url        = modes.include? :url
  if @javascript and not @escaper.respond_to? :escape_javascript
    fail("Use EscapeUtils for JavaScript escaping.")
  end
end

Instance Methods

Defined in

lib/rack/protection/escaped_params.rb