Last active
December 18, 2015 17:39
-
-
Save rantler/5819983 to your computer and use it in GitHub Desktop.
Hilariously over-engineered sanitization module
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'rubygems' | |
require 'action_controller' | |
module Sanitizer | |
def method_missing(method_name, *) | |
attr = sanitized_attr_method_name(method_name) | |
if attr && respond_to?(attr) | |
ActionController::Base.helpers.sanitize( | |
send(attr) || 'No name', | |
:tags => %w(h3 h4 ul ol li p a strong em br font), | |
:attributes => %w(class id name rel data-width data-height data-tip data-tip-width data-tip-position size) | |
) | |
else | |
super | |
end | |
end | |
def respond_to?(method_name, include_private = false) | |
attr = sanitized_attr_method_name(method_name) | |
(attr && super(attr, include_private)) || super | |
end | |
private | |
def sanitized_attr_method_name(method_name) | |
method_name.to_s[/(^sanitized_)(\w+[^=])$/, 2].try(:to_sym) | |
end | |
end | |
class Model | |
include Sanitizer | |
def initialize(name, address) | |
@name = name | |
@address = address | |
end | |
def name | |
@name | |
end | |
def address | |
@address | |
end | |
end | |
m = Model.new('<strong>My Name</strong><script>alert(1)</script>', '<script>alert("pwned")</script><font size=23>1234</font> <em>Any</em> Street') | |
puts("name = #{m.name}") | |
puts("sanitized = #{m.sanitized_name}") | |
puts("address = #{m.address}") | |
puts("sanitized = #{m.sanitized_address}") | |
puts("respond_to?(:name) = #{m.respond_to?(:name).inspect}") | |
puts("respond_to?(:sanitized_name) = #{m.respond_to?(:sanitized_name).inspect}") | |
puts("respond_to?(:sanitized_name=) = #{m.respond_to?(:sanitized_name=).inspect}") | |
puts("respond_to?(:foo) = #{m.respond_to?(:foo).inspect}") | |
puts("respond_to?(:sanitized_foo) = #{m.respond_to?(:sanitized_foo).inspect}") | |
puts("m.class = #{m.class.inspect}") | |
puts("foo = #{m.foo}") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment