aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKasper Timm Hansen <kaspth@gmail.com>2014-09-02 21:07:41 +0200
committerKasper Timm Hansen <kaspth@gmail.com>2014-09-03 20:27:59 +0200
commit28eecd934b91618b1334acce859c26c1a380f51a (patch)
tree589226d6f13aab150b6ac70f5d763eeb94fc83e2
parenta2f8377d1dd66c200a9a8d31db14f2b0a4bec744 (diff)
downloadrails-28eecd934b91618b1334acce859c26c1a380f51a.tar.gz
rails-28eecd934b91618b1334acce859c26c1a380f51a.tar.bz2
rails-28eecd934b91618b1334acce859c26c1a380f51a.zip
Ship with rails-html-sanitizer instead.
-rw-r--r--actionpack/actionpack.gemspec2
-rw-r--r--actionview/actionview.gemspec2
-rw-r--r--actionview/lib/action_view/helpers/sanitize_helper.rb11
-rw-r--r--actionview/test/template/sanitize_helper_test.rb2
-rw-r--r--guides/source/4_2_release_notes.md3
-rw-r--r--railties/test/application/default_stack_test.rb41
6 files changed, 8 insertions, 53 deletions
diff --git a/actionpack/actionpack.gemspec b/actionpack/actionpack.gemspec
index a39b3e86d4..c752388e28 100644
--- a/actionpack/actionpack.gemspec
+++ b/actionpack/actionpack.gemspec
@@ -23,7 +23,7 @@ Gem::Specification.new do |s|
s.add_dependency 'rack', '~> 1.6.0.beta'
s.add_dependency 'rack-test', '~> 0.6.2'
- s.add_dependency 'rails-deprecated_sanitizer', '~> 1.0', '>= 1.0.2'
+ s.add_dependency 'rails-html-sanitizer', '~> 1.0'
s.add_dependency 'rails-dom-testing', '~> 1.0', '>= 1.0.2'
s.add_dependency 'actionview', version
diff --git a/actionview/actionview.gemspec b/actionview/actionview.gemspec
index 565c22e1e8..69c8326c51 100644
--- a/actionview/actionview.gemspec
+++ b/actionview/actionview.gemspec
@@ -23,7 +23,7 @@ Gem::Specification.new do |s|
s.add_dependency 'builder', '~> 3.1'
s.add_dependency 'erubis', '~> 2.7.0'
- s.add_dependency 'rails-deprecated_sanitizer', '~> 1.0', '>= 1.0.2'
+ s.add_dependency 'rails-html-sanitizer', '~> 1.0'
s.add_dependency 'rails-dom-testing', '~> 1.0', '>= 1.0.2'
s.add_development_dependency 'actionpack', version
diff --git a/actionview/lib/action_view/helpers/sanitize_helper.rb b/actionview/lib/action_view/helpers/sanitize_helper.rb
index 394250f058..4f2db0a0c4 100644
--- a/actionview/lib/action_view/helpers/sanitize_helper.rb
+++ b/actionview/lib/action_view/helpers/sanitize_helper.rb
@@ -1,6 +1,6 @@
require 'active_support/core_ext/object/try'
require 'active_support/deprecation'
-require 'rails-deprecated_sanitizer'
+require 'rails-html-sanitizer'
module ActionView
# = Action View Sanitize Helpers
@@ -122,14 +122,9 @@ module ActionView
attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
# Vendors the full, link and white list sanitizers.
- # This uses html-scanner for the HTML sanitization.
- # In the next Rails version this will use Rails::Html::Sanitizer instead.
- # To get this new behavior now, in your Gemfile, add:
- #
- # gem 'rails-html-sanitizer'
- #
+ # Provided strictly for compabitility and can be removed in Rails 5.
def sanitizer_vendor
- Rails::DeprecatedSanitizer
+ Rails::Html::Sanitizer
end
def sanitized_allowed_tags
diff --git a/actionview/test/template/sanitize_helper_test.rb b/actionview/test/template/sanitize_helper_test.rb
index a27258a870..e4be21be2c 100644
--- a/actionview/test/template/sanitize_helper_test.rb
+++ b/actionview/test/template/sanitize_helper_test.rb
@@ -18,7 +18,7 @@ class SanitizeHelperTest < ActionView::TestCase
def test_should_sanitize_illegal_style_properties
raw = %(display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;)
- expected = %(display: block; width: 100%; height: 100%; background-color: black; background-image: ; background-x: center; background-y: center;)
+ expected = %(display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;)
assert_equal expected, sanitize_css(raw)
end
diff --git a/guides/source/4_2_release_notes.md b/guides/source/4_2_release_notes.md
index ae8ef34cdd..dad973cf5e 100644
--- a/guides/source/4_2_release_notes.md
+++ b/guides/source/4_2_release_notes.md
@@ -167,7 +167,8 @@ config.log_level = :info
### HTML Sanitizer
The HTML sanitizer has been replaced with a new, more robust, implementation
-built upon Loofah and Nokogiri. The new sanitizer is (TODO: betterer).
+built upon Loofah and Nokogiri. The new sanitizer is more secure and its
+sanitization is more powerful and flexible.
With a new sanitization algorithm, the sanitized output will change for certain
pathological inputs.
diff --git a/railties/test/application/default_stack_test.rb b/railties/test/application/default_stack_test.rb
deleted file mode 100644
index 4778cdd74c..0000000000
--- a/railties/test/application/default_stack_test.rb
+++ /dev/null
@@ -1,41 +0,0 @@
-# -*- coding: utf-8 -*-
-require 'isolation/abstract_unit'
-require 'rack/test'
-require 'active_support/json'
-
-module ApplicationTests
- class DefaultStackTest < ActiveSupport::TestCase
- include ActiveSupport::Testing::Isolation
- include Rack::Test::Methods
-
- def setup
- build_app(initializers: true)
- boot_rails
- end
-
- def teardown
- teardown_app
- end
-
- test "the sanitizer helper" do
- controller :foo, <<-RUBY
- class FooController < ApplicationController
- def index
- render text: self.class.helpers.class.sanitizer_vendor
- end
- end
- RUBY
-
- app_file 'config/routes.rb', <<-RUBY
- Rails.application.routes.draw do
- get ':controller(/:action)'
- end
- RUBY
-
- require "#{app_path}/config/environment"
-
- get "/foo"
- assert_equal 'Rails::Html::Sanitizer', last_response.body.strip
- end
- end
-end