Update sanitize text helper to strip plaintext tags, and <img src=javascript:bang>. [Rick Olson]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4911 5ecf4fe2-1ee6-0310-87b1-e25e094e27de

1 files changed, 3 insertions, 3 deletions

diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb
index a2efedf100..8b724127a2 100644
--- a/actionpack/lib/action_view/helpers/text_helper.rb
+++ b/actionpack/lib/action_view/helpers/text_helper.rb
@@ -168,7 +168,7 @@ module ActionView
         require 'html/node'
       end
 
-      VERBOTEN_TAGS = %w(form script) unless defined?(VERBOTEN_TAGS)
+      VERBOTEN_TAGS = %w(form script plaintext) unless defined?(VERBOTEN_TAGS)
       VERBOTEN_ATTRS = /^on/i unless defined?(VERBOTEN_ATTRS)
 
       # Sanitizes the given HTML by making form and script tags into regular
@@ -192,8 +192,8 @@ module ActionView
                 else
                   if node.closing != :close
                     node.attributes.delete_if { |attr,v| attr =~ VERBOTEN_ATTRS }
-                    if node.attributes["href"] =~ /^javascript:/i
-                      node.attributes.delete "href"
+                    %w(href src).each do |attr|
+                      node.attributes.delete attr if node.attributes[attr] =~ /^javascript:/i
                     end
                   end
                   node.to_s