public Method

WhiteListSanitizer.sanitize_css(style)

Source
Home > Ruby > Rails > Rails 2.0.2 > ActionPack EDGE > HTML > WhiteListSanitizer > sanitize_css

Sanitizes a block of css code. Used by #sanitize when it comes across a style attribute

Source Code

# File action_controller/vendor/html-scanner/html/sanitizer.rb, line 104
def sanitize_css(style)
  # disallow urls
  style = style.to_s.gsub(/url\s*\(\s*[^\s)]+?\s*\)\s*/, ' ')

  # gauntlet
  if style !~ /^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/ ||
      style !~ /^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/
    return ''
  end

  clean = []
  style.scan(/([-\w]+)\s*:\s*([^:;]*)/) do |prop,val|
    if allowed_css_properties.include?(prop.downcase)
      clean <<  prop + ': ' + val + ';'
    elsif shorthand_css_properties.include?(prop.split('-')[0].downcase) 
      unless val.split().any? do |keyword|
        !allowed_css_keywords.include?(keyword) && 
          keyword !~ /^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/
      end
        clean << prop + ': ' + val + ';'
      end
    end
  end
  clean.join(' ')
end
Comments

Have your say
Please use Textile formatting (click here for a cheat sheet). Use <code/> and <pre/> for code samples.
Click here to login with OpenID to to post comments.