From 0c999f4125b04be552a3b7ed1ee7787d53d3a477 Mon Sep 17 00:00:00 2001
From: Rick Olson <technoweenie@gmail.com>
Date: Sun, 3 Sep 2006 00:02:14 +0000
Subject: Update sanitize text helper to strip plaintext tags, and <img
 src=javascript:bang>.  [Rick Olson]

git-svn-id: http://svn-commit.rubyonrails.org/rails/trunk@4911 5ecf4fe2-1ee6-0310-87b1-e25e094e27de
---
 actionpack/lib/action_view/helpers/text_helper.rb | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

(limited to 'actionpack/lib/action_view')

diff --git a/actionpack/lib/action_view/helpers/text_helper.rb b/actionpack/lib/action_view/helpers/text_helper.rb
index a2efedf100..8b724127a2 100644
--- a/actionpack/lib/action_view/helpers/text_helper.rb
+++ b/actionpack/lib/action_view/helpers/text_helper.rb
@@ -168,7 +168,7 @@ module ActionView
         require 'html/node'
       end
 
-      VERBOTEN_TAGS = %w(form script) unless defined?(VERBOTEN_TAGS)
+      VERBOTEN_TAGS = %w(form script plaintext) unless defined?(VERBOTEN_TAGS)
       VERBOTEN_ATTRS = /^on/i unless defined?(VERBOTEN_ATTRS)
 
       # Sanitizes the given HTML by making form and script tags into regular
@@ -192,8 +192,8 @@ module ActionView
                 else
                   if node.closing != :close
                     node.attributes.delete_if { |attr,v| attr =~ VERBOTEN_ATTRS }
-                    if node.attributes["href"] =~ /^javascript:/i
-                      node.attributes.delete "href"
+                    %w(href src).each do |attr|
+                      node.attributes.delete attr if node.attributes[attr] =~ /^javascript:/i
                     end
                   end
                   node.to_s
-- 
cgit v1.2.3