class ReeText::PermitScrubber

def scrub_attribute(node, attr_node)

def scrub_attribute(node, attr_node)
  attr_name = if attr_node.namespace
    "#{attr_node.namespace.prefix}:#{attr_node.node_name}"
  else
    attr_node.node_name
  end
  if Loofah::HTML5::SafeList::ATTR_VAL_IS_URI.include?(attr_name)
    # this block lifted nearly verbatim from HTML5 sanitization
    val_unescaped = unescape_html(attr_node.value)
      .gsub(Loofah::HTML5::Scrub::CONTROL_CHARACTERS,'')
      .downcase
    if val_unescaped =~ /^[a-z0-9][-+.a-z0-9]*:/ && !Loofah::HTML5::SafeList::ALLOWED_PROTOCOLS.include?(val_unescaped.split(Loofah::HTML5::SafeList::PROTOCOL_SEPARATOR)[0])
      attr_node.remove
    end
  end
  if Loofah::HTML5::SafeList::SVG_ATTR_VAL_ALLOWS_REF.include?(attr_name)
    attr_node.value = attr_node.value.gsub(/url\s*\(\s*[^#\s][^)]+?\)/m, ' ') if attr_node.value
  end
  if Loofah::HTML5::SafeList::SVG_ALLOW_LOCAL_HREF.include?(node.name) && attr_name == 'xlink:href' && attr_node.value =~ /^\s*[^#\s].*/m
    attr_node.remove
  end
  if attr_name == 'src' && attr_node.value !~ /[^[:space:]]/
    node.remove_attribute(attr_node.name)
  end
  Loofah::HTML5::Scrub.force_correct_attribute_escaping!(node)
end

Included Modules

ReeText::PermitScrubber::Ree::LinkDSL

Modules

Classes

class ReeText::PermitScrubber

def scrub_attribute(node, attr_node)

Included Modules

Instance Methods