2017-02-01 11:48:50 +00:00
|
|
|
# Copyright (C) 2012-2016 Zammad Foundation, http://zammad-foundation.org/
|
2017-05-02 15:21:13 +00:00
|
|
|
module ChecksHtmlSanitized
|
2017-02-01 11:48:50 +00:00
|
|
|
extend ActiveSupport::Concern
|
|
|
|
|
|
|
|
|
|
included do
|
|
|
|
|
before_create :sanitized_html_attributes
|
|
|
|
|
before_update :sanitized_html_attributes
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def sanitized_html_attributes
|
|
|
|
|
html_attributes = self.class.instance_variable_get(:@sanitized_html) || []
|
|
|
|
|
return if html_attributes.empty?
|
|
|
|
|
|
|
|
|
|
html_attributes.each do |attribute|
|
|
|
|
|
value = send(attribute)
|
|
|
|
|
|
|
|
|
|
next if value.blank?
|
|
|
|
|
next if !sanitizeable?(attribute, value)
|
|
|
|
|
|
|
|
|
|
send("#{attribute}=".to_sym, HtmlSanitizer.strict(value))
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def sanitizeable?(_attribute, _value)
|
|
|
|
|
true
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
# methods defined here are going to extend the class, not the instance of it
|
|
|
|
|
class_methods do
|
|
|
|
|
|
|
|
|
|
=begin
|
|
|
|
|
|
|
|
|
|
serve methode to mark HTML attrbibutes that need to get sanitized
|
|
|
|
|
|
|
|
|
|
class Model < ApplicationModel
|
|
|
|
|
include Sanitized
|
|
|
|
|
sanitized_html :body
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
=end
|
|
|
|
|
|
|
|
|
|
def sanitized_html(*attributes)
|
|
|
|
|
@sanitized_html = attributes
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
