<?xml version="1.0" encoding="iso-8859-1"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html> <head> <title>sanitize_css (HTML::WhiteListSanitizer)</title> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <link rel="stylesheet" href="../../.././rdoc-style.css" type="text/css" media="screen" /> </head> <body class="standalone-code"> <pre><span class="ruby-comment cmt"># File lib/action_controller/vendor/html-scanner/html/sanitizer.rb, line 104</span> <span class="ruby-keyword kw">def</span> <span class="ruby-identifier">sanitize_css</span>(<span class="ruby-identifier">style</span>) <span class="ruby-comment cmt"># disallow urls</span> <span class="ruby-identifier">style</span> = <span class="ruby-identifier">style</span>.<span class="ruby-identifier">to_s</span>.<span class="ruby-identifier">gsub</span>(<span class="ruby-regexp re">/url\s*\(\s*[^\s)]+?\s*\)\s*/</span>, <span class="ruby-value str">' '</span>) <span class="ruby-comment cmt"># gauntlet</span> <span class="ruby-keyword kw">if</span> <span class="ruby-identifier">style</span> <span class="ruby-operator">!~</span> <span class="ruby-regexp re">/^([:,;#%.\sa-zA-Z0-9!]|\w-\w|\'[\s\w]+\'|\"[\s\w]+\"|\([\d,\s]+\))*$/</span> <span class="ruby-operator">||</span> <span class="ruby-identifier">style</span> <span class="ruby-operator">!~</span> <span class="ruby-regexp re">/^(\s*[-\w]+\s*:\s*[^:;]*(;|$)\s*)*$/</span> <span class="ruby-keyword kw">return</span> <span class="ruby-value str">''</span> <span class="ruby-keyword kw">end</span> <span class="ruby-identifier">clean</span> = [] <span class="ruby-identifier">style</span>.<span class="ruby-identifier">scan</span>(<span class="ruby-regexp re">/([-\w]+)\s*:\s*([^:;]*)/</span>) <span class="ruby-keyword kw">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">prop</span>,<span class="ruby-identifier">val</span><span class="ruby-operator">|</span> <span class="ruby-keyword kw">if</span> <span class="ruby-identifier">allowed_css_properties</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-identifier">prop</span>.<span class="ruby-identifier">downcase</span>) <span class="ruby-identifier">clean</span> <span class="ruby-operator"><<</span> <span class="ruby-identifier">prop</span> <span class="ruby-operator">+</span> <span class="ruby-value str">': '</span> <span class="ruby-operator">+</span> <span class="ruby-identifier">val</span> <span class="ruby-operator">+</span> <span class="ruby-value str">';'</span> <span class="ruby-keyword kw">elsif</span> <span class="ruby-identifier">shorthand_css_properties</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-identifier">prop</span>.<span class="ruby-identifier">split</span>(<span class="ruby-value str">'-'</span>)[<span class="ruby-value">0</span>].<span class="ruby-identifier">downcase</span>) <span class="ruby-keyword kw">unless</span> <span class="ruby-identifier">val</span>.<span class="ruby-identifier">split</span>().<span class="ruby-identifier">any?</span> <span class="ruby-keyword kw">do</span> <span class="ruby-operator">|</span><span class="ruby-identifier">keyword</span><span class="ruby-operator">|</span> <span class="ruby-operator">!</span><span class="ruby-identifier">allowed_css_keywords</span>.<span class="ruby-identifier">include?</span>(<span class="ruby-identifier">keyword</span>) <span class="ruby-operator">&&</span> <span class="ruby-identifier">keyword</span> <span class="ruby-operator">!~</span> <span class="ruby-regexp re">/^(#[0-9a-f]+|rgb\(\d+%?,\d*%?,?\d*%?\)?|\d{0,2}\.?\d{0,2}(cm|em|ex|in|mm|pc|pt|px|%|,|\))?)$/</span> <span class="ruby-keyword kw">end</span> <span class="ruby-identifier">clean</span> <span class="ruby-operator"><<</span> <span class="ruby-identifier">prop</span> <span class="ruby-operator">+</span> <span class="ruby-value str">': '</span> <span class="ruby-operator">+</span> <span class="ruby-identifier">val</span> <span class="ruby-operator">+</span> <span class="ruby-value str">';'</span> <span class="ruby-keyword kw">end</span> <span class="ruby-keyword kw">end</span> <span class="ruby-keyword kw">end</span> <span class="ruby-identifier">clean</span>.<span class="ruby-identifier">join</span>(<span class="ruby-value str">' '</span>) <span class="ruby-keyword kw">end</span></pre> </body> </html>