class TaintedLove::Replacer::ReplaceActionView

Public Instance Methods

append=(value) click to toggle source
# File lib/tainted_love/replacer/replace_action_view.rb, line 12
def append=(value)
  if value.tainted? && value.html_safe?
    TaintedLove.report(
      :ReplaceActionView,
      value,
      [:xss],
      'Tainted string is html_safe'
    )
  end

  self << value
end
render(*args, &block) click to toggle source
Calls superclass method
# File lib/tainted_love/replacer/replace_action_view.rb, line 28
def render(*args, &block)
  super(*args) do |*sub_args, &sub_block|
    block.call(*sub_args, &sub_block).untaint
  end.untaint
end
replace!() click to toggle source
# File lib/tainted_love/replacer/replace_action_view.rb, line 10
def replace!
  ActionView::OutputBuffer.class_eval do
    def append=(value)
      if value.tainted? && value.html_safe?
        TaintedLove.report(
          :ReplaceActionView,
          value,
          [:xss],
          'Tainted string is html_safe'
        )
      end

      self << value
    end
  end

  # Untaint the yield of a template
  mod = Module.new do
    def render(*args, &block)
      super(*args) do |*sub_args, &sub_block|
        block.call(*sub_args, &sub_block).untaint
      end.untaint
    end
  end

  ActionView::Template.prepend(mod) if Object.const_defined?('ActionView::Template')
end
should_replace?() click to toggle source
# File lib/tainted_love/replacer/replace_action_view.rb, line 6
def should_replace?
  Object.const_defined?('ActionView')
end