cirandas.net

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41

module SanitizeParams

  protected

  # Check each request parameter for
  # improper HTML or Script tags
  def sanitize_params
    sanitize_params_hash(params)
  end

  # Given a params list sanitize all
  def sanitize_params_hash(params)
    params.each { |k, v|
      if v.is_a?(String)
        params[k] = sanitize_param v
      elsif v.is_a?(Array)
        params[k] = sanitize_array v
      elsif v.kind_of?(Hash)
        params[k] = sanitize_params_hash(v)
      end
    }
  end

  # If the parameter was an array,
  # try to sanitize each element in the array
  def sanitize_array(array)
    array.map! { |e|
      if e.is_a?(String)
        sanitize_param e
      end
    }
    return array
  end

  # Santitize a single value
  def sanitize_param(value)
    allowed_tags = %w(a acronym b strong i em li ul ol h1 h2 h3 h4 h5 h6 blockquote br cite sub sup ins p)
    ActionController::Base.helpers.sanitize(value, tags: allowed_tags, attributes: %w(href title))
  end

end