diff options
| author | Leonel Galán <leonel@getstealz.com> | 2017-04-03 22:59:43 -0400 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-04-03 22:59:43 -0400 |
| commit | 8648f289f01656b2258687126108c389127108e0 (patch) | |
| tree | 1ccb15f72f00d8c30497ad4e48f203545dd3383b /actionview/lib/action_view/helpers/sanitize_helper.rb | |
| parent | 28b3582aa2cd6007c708134b911b3f360ad5d659 (diff) | |
| parent | e8c33349bfabca28996ac74d344d69c7aaffec50 (diff) | |
| download | rails-8648f289f01656b2258687126108c389127108e0.tar.gz rails-8648f289f01656b2258687126108c389127108e0.tar.bz2 rails-8648f289f01656b2258687126108c389127108e0.zip | |
Merge branch 'master' into bug/filtered_parameters_class
Diffstat (limited to 'actionview/lib/action_view/helpers/sanitize_helper.rb')
| -rw-r--r-- | actionview/lib/action_view/helpers/sanitize_helper.rb | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/actionview/lib/action_view/helpers/sanitize_helper.rb b/actionview/lib/action_view/helpers/sanitize_helper.rb index 1e9b813d3d..0abd5bc5dc 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper.rb @@ -13,6 +13,7 @@ module ActionView # It also strips href/src attributes with unsafe protocols like # <tt>javascript:</tt>, while also protecting against attempts to use Unicode, # ASCII, and hex character references to work around these protocol filters. + # All special characters will be escaped. # # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information. @@ -20,8 +21,7 @@ module ActionView # Custom sanitization rules can also be provided. # # Please note that sanitizing user-provided text does not guarantee that the - # resulting markup is valid or even well-formed. For example, the output may still - # contain unescaped characters like <tt><</tt>, <tt>></tt>, or <tt>&</tt>. + # resulting markup is valid or even well-formed. # # ==== Options # @@ -86,7 +86,7 @@ module ActionView self.class.white_list_sanitizer.sanitize_css(style) end - # Strips all HTML tags from +html+, including comments. + # Strips all HTML tags from +html+, including comments and special characters. # # strip_tags("Strip <i>these</i> tags!") # # => Strip these tags! @@ -96,8 +96,11 @@ module ActionView # # strip_tags("<div id='top-bar'>Welcome to my website!</div>") # # => Welcome to my website! + # + # strip_tags("> A quote from Smith & Wesson") + # # => > A quote from Smith & Wesson def strip_tags(html) - self.class.full_sanitizer.sanitize(html, encode_special_chars: false) + self.class.full_sanitizer.sanitize(html) end # Strips all link tags from +html+ leaving just the link text. @@ -110,6 +113,9 @@ module ActionView # # strip_links('Blog: <a href="http://www.myblog.com/" class="nav" target=\"_blank\">Visit</a>.') # # => Blog: Visit. + # + # strip_links('<<a href="https://example.org">malformed & link</a>') + # # => <malformed & link def strip_links(html) self.class.link_sanitizer.sanitize(html) end |