aboutsummaryrefslogtreecommitdiffstats
path: root/actionpack/lib/action_controller/vendor/html-scanner
diff options
context:
space:
mode:
authorPiotr Sarnacki <drogus@gmail.com>2012-03-27 02:07:09 +0200
committerPiotr Sarnacki <drogus@gmail.com>2012-03-27 02:26:17 +0200
commit37c84ed877188151c14af2b1401e4f2bd860bdd7 (patch)
treebb552a00ca8165d550542c3135885ec9512db9fa /actionpack/lib/action_controller/vendor/html-scanner
parent494610792530bc21f5c284a4eb66278b07953a5b (diff)
downloadrails-37c84ed877188151c14af2b1401e4f2bd860bdd7.tar.gz
rails-37c84ed877188151c14af2b1401e4f2bd860bdd7.tar.bz2
rails-37c84ed877188151c14af2b1401e4f2bd860bdd7.zip
Don't ignore non Enumerable values passed to sanitize (closes #5585)
When someone accidentally passes a string to sanitize like: sanitize("<span>foo</span>", :tags => "b") there is no indication that it's the wrong way and span will not be removed.
Diffstat (limited to 'actionpack/lib/action_controller/vendor/html-scanner')
-rw-r--r--actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb11
1 files changed, 11 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
index 24ffc28710..e9b50ff8ce 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -5,6 +5,7 @@ require 'active_support/core_ext/class/attribute'
module HTML
class Sanitizer
def sanitize(text, options = {})
+ validate_options(options)
return text unless sanitizeable?(text)
tokenize(text, options).join
end
@@ -27,6 +28,16 @@ module HTML
def process_node(node, result, options)
result << node.to_s
end
+
+ def validate_options(options)
+ if options[:tags] && !options[:tags].is_a?(Enumerable)
+ raise ArgumentError, "You should pass :tags as an Enumerable"
+ end
+
+ if options[:attributes] && !options[:attributes].is_a?(Enumerable)
+ raise ArgumentError, "You should pass :attributes as an Enumerable"
+ end
+ end
end
class FullSanitizer < Sanitizer