From 37c84ed877188151c14af2b1401e4f2bd860bdd7 Mon Sep 17 00:00:00 2001
From: Piotr Sarnacki <drogus@gmail.com>
Date: Tue, 27 Mar 2012 02:07:09 +0200
Subject: Don't ignore non Enumerable values passed to sanitize (closes #5585)

When someone accidentally passes a string to sanitize like:

sanitize("<span>foo</span>", :tags => "b")

there is no indication that it's the wrong way and span
will not be removed.
---
 .../action_controller/vendor/html-scanner/html/sanitizer.rb   | 11 +++++++++++
 1 file changed, 11 insertions(+)

(limited to 'actionpack/lib')

diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
index 24ffc28710..e9b50ff8ce 100644
--- a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
+++ b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -5,6 +5,7 @@ require 'active_support/core_ext/class/attribute'
 module HTML
   class Sanitizer
     def sanitize(text, options = {})
+      validate_options(options)
       return text unless sanitizeable?(text)
       tokenize(text, options).join
     end
@@ -27,6 +28,16 @@ module HTML
     def process_node(node, result, options)
       result << node.to_s
     end
+
+    def validate_options(options)
+      if options[:tags] && !options[:tags].is_a?(Enumerable)
+        raise ArgumentError, "You should pass :tags as an Enumerable"
+      end
+
+      if options[:attributes] && !options[:attributes].is_a?(Enumerable)
+        raise ArgumentError, "You should pass :attributes as an Enumerable"
+      end
+    end
   end
 
   class FullSanitizer < Sanitizer
-- 
cgit v1.2.3