2022-01-01 13:38:12 +00:00
|
|
|
# Copyright (C) 2012-2022 Zammad Foundation, https://zammad-foundation.org/
|
2021-06-01 12:20:20 +00:00
|
|
|
|
2017-05-02 15:21:13 +00:00
|
|
|
module ChecksHtmlSanitized
|
2017-02-01 11:48:50 +00:00
|
|
|
extend ActiveSupport::Concern
|
|
|
|
|
|
|
|
included do
|
|
|
|
before_create :sanitized_html_attributes
|
|
|
|
before_update :sanitized_html_attributes
|
|
|
|
end
|
|
|
|
|
|
|
|
def sanitized_html_attributes
|
|
|
|
html_attributes = self.class.instance_variable_get(:@sanitized_html) || []
|
2017-11-21 07:24:03 +00:00
|
|
|
return true if html_attributes.blank?
|
2017-02-01 11:48:50 +00:00
|
|
|
|
|
|
|
html_attributes.each do |attribute|
|
2020-07-29 14:54:40 +00:00
|
|
|
next if changes[attribute].blank?
|
|
|
|
|
2017-02-01 11:48:50 +00:00
|
|
|
value = send(attribute)
|
|
|
|
|
|
|
|
next if value.blank?
|
|
|
|
next if !sanitizeable?(attribute, value)
|
|
|
|
|
2020-08-21 08:18:31 +00:00
|
|
|
send(:"#{attribute}=", HtmlSanitizer.strict(value))
|
2017-02-01 11:48:50 +00:00
|
|
|
end
|
2017-06-16 22:53:20 +00:00
|
|
|
true
|
2017-02-01 11:48:50 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def sanitizeable?(_attribute, _value)
|
|
|
|
true
|
|
|
|
end
|
|
|
|
|
|
|
|
# methods defined here are going to extend the class, not the instance of it
|
|
|
|
class_methods do
|
|
|
|
|
|
|
|
=begin
|
|
|
|
|
2017-10-17 08:37:44 +00:00
|
|
|
serve method to mark HTML attributes that need to get sanitized
|
2017-02-01 11:48:50 +00:00
|
|
|
|
|
|
|
class Model < ApplicationModel
|
|
|
|
include Sanitized
|
|
|
|
sanitized_html :body
|
|
|
|
end
|
|
|
|
|
|
|
|
=end
|
|
|
|
|
|
|
|
def sanitized_html(*attributes)
|
|
|
|
@sanitized_html = attributes
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|