diff options
| author | Timm <kaspth@gmail.com> | 2013-08-16 16:49:05 +0200 |
|---|---|---|
| committer | Timm <kaspth@gmail.com> | 2014-06-16 21:04:07 +0200 |
| commit | 97c5e6fa027d0ef9151172c193b1f61ee4c4c70a (patch) | |
| tree | 4bc2fb6763031787f9455948c1a5e2e1003bb80d /actionview | |
| parent | 9a3a59eaaefd175379963a3a6048bdb5b3950fb8 (diff) | |
| download | rails-97c5e6fa027d0ef9151172c193b1f61ee4c4c70a.tar.gz rails-97c5e6fa027d0ef9151172c193b1f61ee4c4c70a.tar.bz2 rails-97c5e6fa027d0ef9151172c193b1f61ee4c4c70a.zip | |
Changed: remove_xpaths called with String returns String, while called with Loofah fragment returns Loofah fragment. Added tests for this.
Diffstat (limited to 'actionview')
| -rw-r--r-- | actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb | 4 | ||||
| -rw-r--r-- | actionview/test/template/sanitizers_test.rb | 11 |
2 files changed, 13 insertions, 2 deletions
diff --git a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb index c6bbf5e3f7..01ab9830f3 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb @@ -14,9 +14,9 @@ module ActionView def remove_xpaths(html, xpaths) if html.respond_to?(:xpath) xpaths.each { |xpath| html.xpath(xpath).remove } - html.to_s + html else - remove_xpaths(Loofah.fragment(html), xpaths) + remove_xpaths(Loofah.fragment(html), xpaths).to_s end end end diff --git a/actionview/test/template/sanitizers_test.rb b/actionview/test/template/sanitizers_test.rb index 825a3a1b75..8d2934caed 100644 --- a/actionview/test/template/sanitizers_test.rb +++ b/actionview/test/template/sanitizers_test.rb @@ -37,6 +37,17 @@ class SanitizersTest < ActionController::TestCase end end + def test_sanitizer_remove_xpaths_called_with_string_returns_string + sanitizer = ActionView::Sanitizer.new + assert '<a></a>', sanitizer.remove_xpaths('<a></a>', []) + end + + def test_sanitizer_remove_xpaths_called_with_fragment_returns_fragment + sanitizer = ActionView::Sanitizer.new + fragment = sanitizer.remove_xpaths(Loofah.fragment('<a></a>'), []) + assert_kind_of Loofah::HTML::DocumentFragment, fragment + end + def test_strip_tags_with_quote sanitizer = ActionView::FullSanitizer.new string = '<" <img src="trollface.gif" onload="alert(1)"> hi' |