diff options
| author | Juanito Fatas <juanito.fatas@shopify.com> | 2019-05-14 13:09:39 +0900 |
|---|---|---|
| committer | Kasper Timm Hansen <kaspth@gmail.com> | 2019-08-05 03:35:35 +0200 |
| commit | 52f0b050e25cac6d9571d71c9f74ea583d8aa2b0 (patch) | |
| tree | f0cb5d415575b2de0f9ee6a3ba563c9d409aab96 | |
| parent | 1af44e4aeeb04a6360b5104d8ee7b4a042ef93d8 (diff) | |
| download | rails-52f0b050e25cac6d9571d71c9f74ea583d8aa2b0.tar.gz rails-52f0b050e25cac6d9571d71c9f74ea583d8aa2b0.tar.bz2 rails-52f0b050e25cac6d9571d71c9f74ea583d8aa2b0.zip | |
Update sanitizer in ActionView::Helpers::SanitizeHelper
- The sanitizer has been changed to safe_list_sanitizer.
- deprecate white_list_sanitizer
| -rw-r--r-- | actiontext/app/helpers/action_text/content_helper.rb | 2 | ||||
| -rw-r--r-- | actionview/CHANGELOG.md | 4 | ||||
| -rw-r--r-- | actionview/lib/action_view/helpers/sanitize_helper.rb | 34 |
3 files changed, 18 insertions, 22 deletions
diff --git a/actiontext/app/helpers/action_text/content_helper.rb b/actiontext/app/helpers/action_text/content_helper.rb index ed2887d865..1e05f572f7 100644 --- a/actiontext/app/helpers/action_text/content_helper.rb +++ b/actiontext/app/helpers/action_text/content_helper.rb @@ -4,7 +4,7 @@ require "rails-html-sanitizer" module ActionText module ContentHelper - mattr_accessor(:sanitizer) { Rails::Html::Sanitizer.white_list_sanitizer.new } + mattr_accessor(:sanitizer) { Rails::Html::Sanitizer.safe_list_sanitizer.new } mattr_accessor(:allowed_tags) { sanitizer.class.allowed_tags + [ ActionText::Attachment::TAG_NAME, "figure", "figcaption" ] } mattr_accessor(:allowed_attributes) { sanitizer.class.allowed_attributes + ActionText::Attachment::ATTRIBUTES } mattr_accessor(:scrubber) diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md index ca3ce1476a..71a8b3fdcb 100644 --- a/actionview/CHANGELOG.md +++ b/actionview/CHANGELOG.md @@ -1,3 +1,7 @@ +* ActionView::Helpers::SanitizeHelper: support rails-html-sanitizer 1.1.0. + + *Juanito Fatas* + * Added `phone_to` helper method to create a link from mobile numbers *Pietro Moro* diff --git a/actionview/lib/action_view/helpers/sanitize_helper.rb b/actionview/lib/action_view/helpers/sanitize_helper.rb index fdce4fe688..d6d0635911 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper.rb @@ -1,6 +1,7 @@ # frozen_string_literal: true require "rails-html-sanitizer" +require "active_support/deprecation" module ActionView # = Action View Sanitize Helpers @@ -16,7 +17,7 @@ module ActionView # ASCII, and hex character references to work around these protocol filters. # All special characters will be escaped. # - # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML + # The default sanitizer is Rails::Html::SafeListSanitizer. See {Rails HTML # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information. # # Custom sanitization rules can also be provided. @@ -79,12 +80,12 @@ module ActionView # config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a'] # config.action_view.sanitized_allowed_attributes = ['href', 'title'] def sanitize(html, options = {}) - self.class.white_list_sanitizer.sanitize(html, options)&.html_safe + self.class.safe_list_sanitizer.sanitize(html, options)&.html_safe end # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute. def sanitize_css(style) - self.class.white_list_sanitizer.sanitize_css(style) + self.class.safe_list_sanitizer.sanitize_css(style) end # Strips all HTML tags from +html+, including comments and special characters. @@ -122,20 +123,14 @@ module ActionView end module ClassMethods #:nodoc: - attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer - - # Vendors the full, link and white list sanitizers. - # Provided strictly for compatibility and can be removed in Rails 6. - def sanitizer_vendor - Rails::Html::Sanitizer - end + attr_writer :full_sanitizer, :link_sanitizer, :safe_list_sanitizer def sanitized_allowed_tags - sanitizer_vendor.white_list_sanitizer.allowed_tags + safe_list_sanitizer.allowed_tags end def sanitized_allowed_attributes - sanitizer_vendor.white_list_sanitizer.allowed_attributes + safe_list_sanitizer.allowed_attributes end # Gets the Rails::Html::FullSanitizer instance used by +strip_tags+. Replace with @@ -144,9 +139,8 @@ module ActionView # class Application < Rails::Application # config.action_view.full_sanitizer = MySpecialSanitizer.new # end - # def full_sanitizer - @full_sanitizer ||= sanitizer_vendor.full_sanitizer.new + @full_sanitizer ||= Rails::Html::Sanitizer.full_sanitizer.new end # Gets the Rails::Html::LinkSanitizer instance used by +strip_links+. @@ -155,20 +149,18 @@ module ActionView # class Application < Rails::Application # config.action_view.link_sanitizer = MySpecialSanitizer.new # end - # def link_sanitizer - @link_sanitizer ||= sanitizer_vendor.link_sanitizer.new + @link_sanitizer ||= Rails::Html::Sanitizer.link_sanitizer.new end - # Gets the Rails::Html::WhiteListSanitizer instance used by sanitize and +sanitize_css+. + # Gets the Rails::Html::SafeListSanitizer instance used by sanitize and +sanitize_css+. # Replace with any object that responds to +sanitize+. # # class Application < Rails::Application - # config.action_view.white_list_sanitizer = MySpecialSanitizer.new + # config.action_view.safe_list_sanitizer = MySpecialSanitizer.new # end - # - def white_list_sanitizer - @white_list_sanitizer ||= sanitizer_vendor.white_list_sanitizer.new + def safe_list_sanitizer + @safe_list_sanitizer ||= Rails::Html::Sanitizer.safe_list_sanitizer.new end end end |