aboutsummaryrefslogtreecommitdiffstats
path: root/actionview/lib/action_view
diff options
context:
space:
mode:
authorKevin Deisz <kevin.deisz@gmail.com>2018-08-27 09:30:05 -0400
committerKevin Deisz <kevin.deisz@gmail.com>2018-08-27 09:51:46 -0400
commit7c9751d7fe3aec1e67004d1bb5e4a1702fcacafb (patch)
treef67885f8ceeee2b867a451afcab6a145425dcadb /actionview/lib/action_view
parent0efecd913c07104e8fba82d5044c1ad824af68d5 (diff)
downloadrails-7c9751d7fe3aec1e67004d1bb5e4a1702fcacafb.tar.gz
rails-7c9751d7fe3aec1e67004d1bb5e4a1702fcacafb.tar.bz2
rails-7c9751d7fe3aec1e67004d1bb5e4a1702fcacafb.zip
Permit list usage cleanup and clearer documentation
Diffstat (limited to 'actionview/lib/action_view')
-rw-r--r--actionview/lib/action_view/helpers/sanitize_helper.rb2
-rw-r--r--actionview/lib/action_view/template/handlers/erb.rb12
2 files changed, 7 insertions, 7 deletions
diff --git a/actionview/lib/action_view/helpers/sanitize_helper.rb b/actionview/lib/action_view/helpers/sanitize_helper.rb
index d27d5d7e12..f4fa133f55 100644
--- a/actionview/lib/action_view/helpers/sanitize_helper.rb
+++ b/actionview/lib/action_view/helpers/sanitize_helper.rb
@@ -10,7 +10,7 @@ module ActionView
# These helper methods extend Action View making them callable within your template files.
module SanitizeHelper
extend ActiveSupport::Concern
- # Sanitizes HTML input, stripping all tags and attributes that aren't permitted.
+ # Sanitizes HTML input, stripping all but known-safe tags and attributes.
#
# It also strips href/src attributes with unsafe protocols like
# <tt>javascript:</tt>, while also protecting against attempts to use Unicode,
diff --git a/actionview/lib/action_view/template/handlers/erb.rb b/actionview/lib/action_view/template/handlers/erb.rb
index 93edef9c26..270be0a380 100644
--- a/actionview/lib/action_view/template/handlers/erb.rb
+++ b/actionview/lib/action_view/template/handlers/erb.rb
@@ -14,15 +14,15 @@ module ActionView
class_attribute :erb_implementation, default: Erubi
# Do not escape templates of these mime types.
- class_attribute :escape_permit_list, default: ["text/plain"]
+ class_attribute :escape_ignore_list, default: ["text/plain"]
[self, singleton_class].each do |base|
- base.alias_method :escape_whitelist, :escape_permit_list
- base.alias_method :escape_whitelist=, :escape_permit_list=
+ base.send(:alias_method, :escape_whitelist, :escape_ignore_list)
+ base.send(:alias_method, :escape_whitelist=, :escape_ignore_list=)
base.deprecate(
- escape_whitelist: 'use #escape_permit_list instead',
- :escape_whitelist= => 'use #escape_permit_list= instead'
+ escape_whitelist: "use #escape_ignore_list instead",
+ :escape_whitelist= => "use #escape_ignore_list= instead"
)
end
@@ -57,7 +57,7 @@ module ActionView
self.class.erb_implementation.new(
erb,
- escape: (self.class.escape_permit_list.include? template.type),
+ escape: (self.class.escape_ignore_list.include? template.type),
trim: (self.class.erb_trim_mode == "-")
).src
end