strict.rb 1.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051
  1. # Copyright (C) 2012-2025 Zammad Foundation, https://zammad-foundation.org/
  2. class HtmlSanitizer
  3. class Strict < Base
  4. attr_reader :remote_content_removed
  5. def initialize(no_images: false)
  6. super()
  7. @no_images = no_images
  8. @remote_content_removed = false
  9. end
  10. def sanitize(string, external: false, timeout: true)
  11. return run_sanitization(string, external) if !timeout
  12. with_timeout(string) do
  13. run_sanitization(string, external)
  14. end
  15. end
  16. private
  17. def run_sanitization(string, external)
  18. fragment = Loofah
  19. .fragment(string)
  20. .scrub!(HtmlSanitizer::Scrubber::TagRemove.new)
  21. .scrub!(HtmlSanitizer::Scrubber::QuoteContent.new)
  22. if @no_images
  23. fragment.scrub! HtmlSanitizer::Scrubber::TagRemove.new(tags: %w[img])
  24. end
  25. wipe_scrubber = HtmlSanitizer::Scrubber::Wipe.new
  26. string = loop_string(fragment.to_html, wipe_scrubber)
  27. @remote_content_removed = wipe_scrubber.remote_content_removed
  28. link_scrubber = HtmlSanitizer::Scrubber::Link.new(web_app_url_prefix: web_app_url_prefix, external: external)
  29. Loofah.fragment(string).scrub!(link_scrubber).to_html
  30. end
  31. def web_app_url_prefix
  32. fqdn = Setting.get('fqdn')
  33. http_type = Setting.get('http_type')
  34. "#{http_type}://#{fqdn}/#".downcase
  35. end
  36. end
  37. end