Filter external(String attribute, { Iterable<String> allowed })

Returns a Filter that can test if the path in attribute is external to all of the allowed uris.

The Filter return true if the uri in attribute is invalid or external to all of the uris in allowed.

The Filter returns false for any of the following conditions:

  • the attribute is missing;
  • the uri is null;
  • the uri is relative to all uris;
  • the scheme in the uri is data or javascript;
  • when the uri is resolved from any of the allowed uris, its path starts with that allowed uri.

Source

static Filter external(String attribute, {Iterable<String> allowed}) {
  var allowedUris = allowed == null ? const [] : new List.from(allowed);
  return (t, o) {
    var uri = o[attribute];
    if (uri == null) return false;
    if (!isValid(uri)) return true;
    if (isRelative(uri) ||
        ['data', 'javascript'].contains(Uri.parse(uri).scheme)) {
      return false;
    }
    return !allowedUris
        .any((a) => Uri.parse(a).resolve(uri).toString().startsWith(a));
  };
}