File: sanitizer.rb

package info (click to toggle)
amrita 1.0.2-8
  • links: PTS
  • area: main
  • in suites: squeeze
  • size: 1,884 kB
  • ctags: 1,362
  • sloc: ruby: 9,159; xml: 978; makefile: 110
file content (36 lines) | stat: -rw-r--r-- 995 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
 
require "amrita/template"
include Amrita

tmpl = TemplateText.new %q[<p id=body>xxx</p>]


data = {
   :body=>"I want to insert new line.<br>But I can't"
}

tmpl.expand(STDOUT, data) # <p>I want to insert new line.&lt;br&gt;But I can't</p>
puts

data = {
    :body=>noescape { "I can insert new line <br>with escape { ... } <br>But it may be dangerous" }
}

tmpl.expand(STDOUT, data) # <p>I can insert new line <br>with escape { ... } <br>But it may be dangerous</p>
puts

data = {
    # The attacker expected amrita to print <p yyy=""></p>XSS attack<p>But amrita sanitize it!</p>
    :body=>a(:yyy=>%q["></p>XSS attack here<p]) { "But amrita sanitize it!" }
}
tmpl.expand(STDOUT, data) # <p yyy="&quot;&gt;&lt;/p&gt;XSS attack here&lt;p">But amrita sanitize it!</p>
puts

tmpl = TemplateText.new %q[<a id=body>href is treated in a special way</a>]

data = {
    :body=>a(:href=>%q[javascript:alert('hello')])
}
tmpl.expand(STDOUT, data) # <a href="">href is treated in a special way</a>
puts