diff options
author | Kasper Timm Hansen <kaspth@gmail.com> | 2014-08-16 21:16:24 +0200 |
---|---|---|
committer | Kasper Timm Hansen <kaspth@gmail.com> | 2014-08-17 19:25:47 +0200 |
commit | 1e2ffe7ae67c37cf8170be0c864cbdaacc27c1b4 (patch) | |
tree | 268a11144c9cf80d5ed4d8a5114cd33d4ee022e5 /guides/source | |
parent | a2400308eab88b5eff27e05d1f7624345fb33b54 (diff) | |
download | rails-1e2ffe7ae67c37cf8170be0c864cbdaacc27c1b4.tar.gz rails-1e2ffe7ae67c37cf8170be0c864cbdaacc27c1b4.tar.bz2 rails-1e2ffe7ae67c37cf8170be0c864cbdaacc27c1b4.zip |
Prepare for partial release.
- Default to Rails::DeprecatedSanitizer in ActionView::Helpers::SanitizeHelper.
- Add upgrade notes.
- Add sanitizer to new applications Gemfiles.
- Remove 'rails-dom-testing' as a dependency.
Diffstat (limited to 'guides/source')
-rw-r--r-- | guides/source/upgrading_ruby_on_rails.md | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/guides/source/upgrading_ruby_on_rails.md b/guides/source/upgrading_ruby_on_rails.md index cc20782780..799d5f3bc9 100644 --- a/guides/source/upgrading_ruby_on_rails.md +++ b/guides/source/upgrading_ruby_on_rails.md @@ -91,6 +91,38 @@ after_bundle do end ``` +### Rails Html Sanitizer + +There's a new choice for sanitizing HTML fragments in your applications. The +venerable html-scanner approach is now officially being deprecated in favor of +[`Rails Html Sanitizer`](https://github.com/rails/rails-html-sanitizer). + +This means the methods `sanitize`, `sanitize_css`, `strip_tags` and +`strip_links` are backed by a new implementation. + +In the next major Rails version `Rails Html Sanitizer` will be the default +sanitizer. It already is for new applications. + +Include this in your Gemfile to try it out today: + +```ruby +gem 'rails-html-sanitizer' +``` + +This new sanitizer uses [Loofah](https://github.com/flavorjones/loofah) internally. Loofah in turn uses Nokogiri, which +wraps XML parsers written in both C and Java, so sanitization should be faster +no matter which Ruby version you run. + +The new version updates `sanitize`, so it can take a `Loofah::Scrubber` for +powerful scrubbing. +[See some examples of scrubbers here](https://github.com/flavorjones/loofah#loofahscrubber). + +Two new scrubbers have also been added: `PermitScrubber` and `TargetScrubber`. +Read the [gem's readme](https://github.com/rails/rails-html-sanitizer) for more information. + +The documentation for `PermitScrubber` and `TargetScrubber` explains how you +can gain complete control over when and how elements should be stripped. + Upgrading from Rails 4.0 to Rails 4.1 ------------------------------------- |