diff options
| -rw-r--r-- | actionpack/actionpack.gemspec | 2 | ||||
| -rw-r--r-- | actionview/actionview.gemspec | 2 | ||||
| -rw-r--r-- | actionview/lib/action_view/helpers/sanitize_helper.rb | 11 | ||||
| -rw-r--r-- | actionview/test/template/sanitize_helper_test.rb | 2 | ||||
| -rw-r--r-- | guides/source/4_2_release_notes.md | 3 | ||||
| -rw-r--r-- | railties/test/application/default_stack_test.rb | 41 |
6 files changed, 8 insertions, 53 deletions
diff --git a/actionpack/actionpack.gemspec b/actionpack/actionpack.gemspec index a39b3e86d4..c752388e28 100644 --- a/actionpack/actionpack.gemspec +++ b/actionpack/actionpack.gemspec @@ -23,7 +23,7 @@ Gem::Specification.new do |s| s.add_dependency 'rack', '~> 1.6.0.beta' s.add_dependency 'rack-test', '~> 0.6.2' - s.add_dependency 'rails-deprecated_sanitizer', '~> 1.0', '>= 1.0.2' + s.add_dependency 'rails-html-sanitizer', '~> 1.0' s.add_dependency 'rails-dom-testing', '~> 1.0', '>= 1.0.2' s.add_dependency 'actionview', version diff --git a/actionview/actionview.gemspec b/actionview/actionview.gemspec index 565c22e1e8..69c8326c51 100644 --- a/actionview/actionview.gemspec +++ b/actionview/actionview.gemspec @@ -23,7 +23,7 @@ Gem::Specification.new do |s| s.add_dependency 'builder', '~> 3.1' s.add_dependency 'erubis', '~> 2.7.0' - s.add_dependency 'rails-deprecated_sanitizer', '~> 1.0', '>= 1.0.2' + s.add_dependency 'rails-html-sanitizer', '~> 1.0' s.add_dependency 'rails-dom-testing', '~> 1.0', '>= 1.0.2' s.add_development_dependency 'actionpack', version diff --git a/actionview/lib/action_view/helpers/sanitize_helper.rb b/actionview/lib/action_view/helpers/sanitize_helper.rb index 394250f058..4f2db0a0c4 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper.rb @@ -1,6 +1,6 @@ require 'active_support/core_ext/object/try' require 'active_support/deprecation' -require 'rails-deprecated_sanitizer' +require 'rails-html-sanitizer' module ActionView # = Action View Sanitize Helpers @@ -122,14 +122,9 @@ module ActionView attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer # Vendors the full, link and white list sanitizers. - # This uses html-scanner for the HTML sanitization. - # In the next Rails version this will use Rails::Html::Sanitizer instead. - # To get this new behavior now, in your Gemfile, add: - # - # gem 'rails-html-sanitizer' - # + # Provided strictly for compabitility and can be removed in Rails 5. def sanitizer_vendor - Rails::DeprecatedSanitizer + Rails::Html::Sanitizer end def sanitized_allowed_tags diff --git a/actionview/test/template/sanitize_helper_test.rb b/actionview/test/template/sanitize_helper_test.rb index a27258a870..e4be21be2c 100644 --- a/actionview/test/template/sanitize_helper_test.rb +++ b/actionview/test/template/sanitize_helper_test.rb @@ -18,7 +18,7 @@ class SanitizeHelperTest < ActionView::TestCase def test_should_sanitize_illegal_style_properties raw = %(display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;) - expected = %(display: block; width: 100%; height: 100%; background-color: black; background-image: ; background-x: center; background-y: center;) + expected = %(display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;) assert_equal expected, sanitize_css(raw) end diff --git a/guides/source/4_2_release_notes.md b/guides/source/4_2_release_notes.md index ae8ef34cdd..dad973cf5e 100644 --- a/guides/source/4_2_release_notes.md +++ b/guides/source/4_2_release_notes.md @@ -167,7 +167,8 @@ config.log_level = :info ### HTML Sanitizer The HTML sanitizer has been replaced with a new, more robust, implementation -built upon Loofah and Nokogiri. The new sanitizer is (TODO: betterer). +built upon Loofah and Nokogiri. The new sanitizer is more secure and its +sanitization is more powerful and flexible. With a new sanitization algorithm, the sanitized output will change for certain pathological inputs. diff --git a/railties/test/application/default_stack_test.rb b/railties/test/application/default_stack_test.rb deleted file mode 100644 index 4778cdd74c..0000000000 --- a/railties/test/application/default_stack_test.rb +++ /dev/null @@ -1,41 +0,0 @@ -# -*- coding: utf-8 -*- -require 'isolation/abstract_unit' -require 'rack/test' -require 'active_support/json' - -module ApplicationTests - class DefaultStackTest < ActiveSupport::TestCase - include ActiveSupport::Testing::Isolation - include Rack::Test::Methods - - def setup - build_app(initializers: true) - boot_rails - end - - def teardown - teardown_app - end - - test "the sanitizer helper" do - controller :foo, <<-RUBY - class FooController < ApplicationController - def index - render text: self.class.helpers.class.sanitizer_vendor - end - end - RUBY - - app_file 'config/routes.rb', <<-RUBY - Rails.application.routes.draw do - get ':controller(/:action)' - end - RUBY - - require "#{app_path}/config/environment" - - get "/foo" - assert_equal 'Rails::Html::Sanitizer', last_response.body.strip - end - end -end |