diff options
| author | Piotr Sarnacki <drogus@gmail.com> | 2012-03-27 02:07:09 +0200 |
|---|---|---|
| committer | Piotr Sarnacki <drogus@gmail.com> | 2012-03-27 02:26:17 +0200 |
| commit | 37c84ed877188151c14af2b1401e4f2bd860bdd7 (patch) | |
| tree | bb552a00ca8165d550542c3135885ec9512db9fa /actionpack/lib/action_controller/vendor | |
| parent | 494610792530bc21f5c284a4eb66278b07953a5b (diff) | |
| download | rails-37c84ed877188151c14af2b1401e4f2bd860bdd7.tar.gz rails-37c84ed877188151c14af2b1401e4f2bd860bdd7.tar.bz2 rails-37c84ed877188151c14af2b1401e4f2bd860bdd7.zip | |
Don't ignore non Enumerable values passed to sanitize (closes #5585)
When someone accidentally passes a string to sanitize like:
sanitize("<span>foo</span>", :tags => "b")
there is no indication that it's the wrong way and span
will not be removed.
Diffstat (limited to 'actionpack/lib/action_controller/vendor')
| -rw-r--r-- | actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb index 24ffc28710..e9b50ff8ce 100644 --- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb +++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb @@ -5,6 +5,7 @@ require 'active_support/core_ext/class/attribute' module HTML class Sanitizer def sanitize(text, options = {}) + validate_options(options) return text unless sanitizeable?(text) tokenize(text, options).join end @@ -27,6 +28,16 @@ module HTML def process_node(node, result, options) result << node.to_s end + + def validate_options(options) + if options[:tags] && !options[:tags].is_a?(Enumerable) + raise ArgumentError, "You should pass :tags as an Enumerable" + end + + if options[:attributes] && !options[:attributes].is_a?(Enumerable) + raise ArgumentError, "You should pass :attributes as an Enumerable" + end + end end class FullSanitizer < Sanitizer |