diff options
author | Kasper Timm Hansen <kaspth@gmail.com> | 2015-03-07 18:48:06 +0100 |
---|---|---|
committer | Kasper Timm Hansen <kaspth@gmail.com> | 2015-03-10 20:04:01 +0100 |
commit | 37695b8aabc1386f21039b16c32541d71f0d4182 (patch) | |
tree | 1b6b3ec5dabb35507527f6d7f94ca22b843d8480 | |
parent | 96b8f401f58e9ed4ea41aa32a2b34850640ac0d7 (diff) | |
download | rails-37695b8aabc1386f21039b16c32541d71f0d4182.tar.gz rails-37695b8aabc1386f21039b16c32541d71f0d4182.tar.bz2 rails-37695b8aabc1386f21039b16c32541d71f0d4182.zip |
Let strip_tags leave HTML escaping to Rails.
Prevents double escaping errors, such as "&" becoming "&amp;".
-rw-r--r-- | Gemfile | 2 | ||||
-rw-r--r-- | Gemfile.lock | 14 | ||||
-rw-r--r-- | actionpack/actionpack.gemspec | 2 | ||||
-rw-r--r-- | actionview/actionview.gemspec | 2 | ||||
-rw-r--r-- | actionview/lib/action_view/helpers/sanitize_helper.rb | 2 | ||||
-rw-r--r-- | actionview/test/template/sanitize_helper_test.rb | 4 |
6 files changed, 19 insertions, 7 deletions
@@ -10,6 +10,8 @@ gem 'rake', '>= 10.3' # ensure correct loading order gem 'mocha', '~> 0.14', require: false +gem 'rails-html-sanitizer', '~> 1.0.2', github: 'rails/rails-html-sanitizer' + gem 'rack-cache', '~> 1.2' gem 'jquery-rails', github: 'rails/jquery-rails', branch: 'master' gem 'coffee-rails', '~> 4.1.0' diff --git a/Gemfile.lock b/Gemfile.lock index 0dc7559d9e..c879cd15b9 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -35,6 +35,13 @@ GIT railties (>= 4.2.0) thor (>= 0.14, < 2.0) +GIT + remote: git://github.com/rails/rails-html-sanitizer.git + revision: 4f0f7810fce6c8aa63de07a40d69d6027a30acaf + specs: + rails-html-sanitizer (1.0.2) + loofah (~> 2.0) + PATH remote: . specs: @@ -50,13 +57,13 @@ PATH rack (~> 1.6) rack-test (~> 0.6.3) rails-dom-testing (~> 1.0, >= 1.0.5) - rails-html-sanitizer (~> 1.0, >= 1.0.1) + rails-html-sanitizer (~> 1.0, >= 1.0.2) actionview (5.0.0.alpha) activesupport (= 5.0.0.alpha) builder (~> 3.1) erubis (~> 2.7.0) rails-dom-testing (~> 1.0, >= 1.0.5) - rails-html-sanitizer (~> 1.0, >= 1.0.1) + rails-html-sanitizer (~> 1.0, >= 1.0.2) activejob (5.0.0.alpha) activesupport (= 5.0.0.alpha) globalid (>= 0.3.0) @@ -165,8 +172,6 @@ GEM activesupport (>= 4.2.0.beta, < 5.0) nokogiri (~> 1.6.0) rails-deprecated_sanitizer (>= 1.0.1) - rails-html-sanitizer (1.0.1) - loofah (~> 2.0) rake (10.4.2) rdoc (4.2.0) redcarpet (3.2.2) @@ -274,6 +279,7 @@ DEPENDENCIES racc (>= 1.4.6) rack-cache (~> 1.2) rails! + rails-html-sanitizer (~> 1.0.2)! rake (>= 10.3) redcarpet (~> 3.2.2) resque diff --git a/actionpack/actionpack.gemspec b/actionpack/actionpack.gemspec index d907001bd6..319e87212b 100644 --- a/actionpack/actionpack.gemspec +++ b/actionpack/actionpack.gemspec @@ -23,7 +23,7 @@ Gem::Specification.new do |s| s.add_dependency 'rack', '~> 1.6' s.add_dependency 'rack-test', '~> 0.6.3' - s.add_dependency 'rails-html-sanitizer', '~> 1.0', '>= 1.0.1' + s.add_dependency 'rails-html-sanitizer', '~> 1.0', '>= 1.0.2' s.add_dependency 'rails-dom-testing', '~> 1.0', '>= 1.0.5' s.add_dependency 'actionview', version diff --git a/actionview/actionview.gemspec b/actionview/actionview.gemspec index 8f9194cda7..8c4e633db7 100644 --- a/actionview/actionview.gemspec +++ b/actionview/actionview.gemspec @@ -23,7 +23,7 @@ Gem::Specification.new do |s| s.add_dependency 'builder', '~> 3.1' s.add_dependency 'erubis', '~> 2.7.0' - s.add_dependency 'rails-html-sanitizer', '~> 1.0', '>= 1.0.1' + s.add_dependency 'rails-html-sanitizer', '~> 1.0', '>= 1.0.2' s.add_dependency 'rails-dom-testing', '~> 1.0', '>= 1.0.5' s.add_development_dependency 'actionpack', version diff --git a/actionview/lib/action_view/helpers/sanitize_helper.rb b/actionview/lib/action_view/helpers/sanitize_helper.rb index 463a4e9f60..a2e9f37453 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper.rb @@ -99,7 +99,7 @@ module ActionView # strip_tags("<div id='top-bar'>Welcome to my website!</div>") # # => Welcome to my website! def strip_tags(html) - self.class.full_sanitizer.sanitize(html) + self.class.full_sanitizer.sanitize(html, encode_special_chars: false) end # Strips all link tags from +html+ leaving just the link text. diff --git a/actionview/test/template/sanitize_helper_test.rb b/actionview/test/template/sanitize_helper_test.rb index e4be21be2c..efe846a7eb 100644 --- a/actionview/test/template/sanitize_helper_test.rb +++ b/actionview/test/template/sanitize_helper_test.rb @@ -29,6 +29,10 @@ class SanitizeHelperTest < ActionView::TestCase assert_equal "", strip_tags("<script>") end + def test_strip_tags_will_not_encode_special_characters + assert_equal "test\r\n\r\ntest", strip_tags("test\r\n\r\ntest") + end + def test_sanitize_is_marked_safe assert sanitize("<html><script></script></html>").html_safe? end |