Class: Qiita::Markdown::Filters::FinalSanitizer

Inherits:

HTML::Pipeline::Filter

• Object
• HTML::Pipeline::Filter
• Qiita::Markdown::Filters::FinalSanitizer

Defined in:

lib/qiita/markdown/filters/final_sanitizer.rb

Overview

Sanitizes undesirable elements by whitelist-based rule. You can pass optional :rule and :script context.

Since this filter is applied at the end of html-pipeline, it’s rules are intentionally weakened to allow elements and attributes which are generated by other filters.

See Also:

• UserInputSanitizerr

Constant Summary

RULE =

{
  attributes: {
    "a" => %w[
      data-hovercard-target-name
      data-hovercard-target-type
      href
      rel
    ],
    "blockquote" => Embed::Tweet::ATTRIBUTES,
    "iframe" => %w[
      allowfullscreen
      frameborder
      height
      loading
      marginheight
      marginwidth
      scrolling
      src
      style
      width
    ],
    "img" => [
      "src",
    ],
    "input" => %w[
      checked
      disabled
      type
    ],
    "div" => %w[
      itemscope
      itemtype
    ],
    "p" => Embed::CodePen::ATTRIBUTES,
    "script" => %w[
      async
      src
      type
    ].concat(
      Embed::SpeekerDeck::ATTRIBUTES,
      Embed::Docswell::ATTRIBUTES,
    ),
    "span" => [
      "style",
    ],
    "td" => [
      "style",
    ],
    "th" => [
      "style",
    ],
    "details" => [
      "open",
    ],
    "video" => %w[
      src
      autoplay
      controls
      loop
      muted
      poster
    ],
    all: %w[
      abbr
      align
      alt
      border
      cellpadding
      cellspacing
      cite
      class
      color
      cols
      colspan
      data-lang
      data-sourcepos
      datetime
      height
      hreflang
      id
      itemprop
      lang
      name
      rowspan
      tabindex
      target
      title
      width
    ],
  },
  css: {
    properties: %w[
      background-color
      border
      text-align
    ],
  },
  elements: %w[
    a
    b
    blockquote
    br
    caption
    code
    dd
    del
    details
    div
    dl
    dt
    em
    font
    h1
    h2
    h3
    h4
    h5
    h6
    h7
    h8
    hr
    i
    img
    input
    ins
    kbd
    li
    ol
    p
    pre
    q
    rp
    rt
    ruby
    s
    samp
    script
    iframe
    section
    span
    strike
    strong
    sub
    summary
    sup
    table
    tbody
    td
    tfoot
    th
    thead
    tr
    tt
    ul
    var
  ],
  protocols: {
    "a" => {
      "href" => [
        :relative,
        "http",
        "https",
        "mailto",
      ],
    },
    "img" => {
      "src" => [
        :relative,
        "http",
        "https",
      ],
    },
    "video" => {
      "src" => [
        :relative,
        "http",
        "https",
      ],
      "poster" => [
        :relative,
        "http",
        "https",
      ],
    },
  },
  transformers: [
    Transformers::StripInvalidNode,
    Transformers::FilterScript,
    Transformers::FilterIframe,
  ],
}.freeze

SCRIPTABLE_RULE =

RULE.dup.tap do |rule|
  rule[:attributes] = RULE[:attributes].dup
  rule[:attributes][:all] = rule[:attributes][:all] + [:data]
  rule[:elements] = RULE[:elements] + ["video"]
  rule[:transformers] = rule[:transformers] - [Transformers::FilterScript, Transformers::FilterIframe]
end.freeze

Instance Method Summary

• #call ⇒ Object

Instance Method Details

#call ⇒ Object

# File 'lib/qiita/markdown/filters/final_sanitizer.rb', line 214

def call
  ::Sanitize.clean_node!(doc, rule)
  doc
end