From c14859513a648270705b61210dc3ab2fe5d04004 Mon Sep 17 00:00:00 2001 From: Kevin Deisz Date: Fri, 24 Aug 2018 16:10:17 -0400 Subject: Convert over the rest of the whitelist references --- actionview/lib/action_view/helpers/sanitize_helper.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'actionview') diff --git a/actionview/lib/action_view/helpers/sanitize_helper.rb b/actionview/lib/action_view/helpers/sanitize_helper.rb index cb0c99c4cf..d27d5d7e12 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper.rb @@ -10,7 +10,7 @@ module ActionView # These helper methods extend Action View making them callable within your template files. module SanitizeHelper extend ActiveSupport::Concern - # Sanitizes HTML input, stripping all tags and attributes that aren't whitelisted. + # Sanitizes HTML input, stripping all tags and attributes that aren't permitted. # # It also strips href/src attributes with unsafe protocols like # javascript:, while also protecting against attempts to use Unicode, @@ -40,7 +40,7 @@ module ActionView # # <%= sanitize @comment.body %> # - # Providing custom whitelisted tags and attributes: + # Providing custom lists of permitted tags and attributes: # # <%= sanitize @comment.body, tags: %w(strong em a), attributes: %w(href) %> # -- cgit v1.2.3 From cac2bb7f44a6b8e240034d1de89a41fe0dd9f0ec Mon Sep 17 00:00:00 2001 From: Kevin Deisz Date: Fri, 24 Aug 2018 16:13:57 -0400 Subject: Deprecate usage of ActionView::Template::Handlers::ERB::escape_whitelist --- actionview/lib/action_view/template/handlers/erb.rb | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) (limited to 'actionview') diff --git a/actionview/lib/action_view/template/handlers/erb.rb b/actionview/lib/action_view/template/handlers/erb.rb index b7b749f9da..93edef9c26 100644 --- a/actionview/lib/action_view/template/handlers/erb.rb +++ b/actionview/lib/action_view/template/handlers/erb.rb @@ -14,7 +14,17 @@ module ActionView class_attribute :erb_implementation, default: Erubi # Do not escape templates of these mime types. - class_attribute :escape_whitelist, default: ["text/plain"] + class_attribute :escape_permit_list, default: ["text/plain"] + + [self, singleton_class].each do |base| + base.alias_method :escape_whitelist, :escape_permit_list + base.alias_method :escape_whitelist=, :escape_permit_list= + + base.deprecate( + escape_whitelist: 'use #escape_permit_list instead', + :escape_whitelist= => 'use #escape_permit_list= instead' + ) + end ENCODING_TAG = Regexp.new("\\A(<%#{ENCODING_FLAG}-?%>)[ \\t]*") @@ -47,7 +57,7 @@ module ActionView self.class.erb_implementation.new( erb, - escape: (self.class.escape_whitelist.include? template.type), + escape: (self.class.escape_permit_list.include? template.type), trim: (self.class.erb_trim_mode == "-") ).src end -- cgit v1.2.3 From 7c9751d7fe3aec1e67004d1bb5e4a1702fcacafb Mon Sep 17 00:00:00 2001 From: Kevin Deisz Date: Mon, 27 Aug 2018 09:30:05 -0400 Subject: Permit list usage cleanup and clearer documentation --- actionview/lib/action_view/helpers/sanitize_helper.rb | 2 +- actionview/lib/action_view/template/handlers/erb.rb | 12 ++++++------ 2 files changed, 7 insertions(+), 7 deletions(-) (limited to 'actionview') diff --git a/actionview/lib/action_view/helpers/sanitize_helper.rb b/actionview/lib/action_view/helpers/sanitize_helper.rb index d27d5d7e12..f4fa133f55 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper.rb @@ -10,7 +10,7 @@ module ActionView # These helper methods extend Action View making them callable within your template files. module SanitizeHelper extend ActiveSupport::Concern - # Sanitizes HTML input, stripping all tags and attributes that aren't permitted. + # Sanitizes HTML input, stripping all but known-safe tags and attributes. # # It also strips href/src attributes with unsafe protocols like # javascript:, while also protecting against attempts to use Unicode, diff --git a/actionview/lib/action_view/template/handlers/erb.rb b/actionview/lib/action_view/template/handlers/erb.rb index 93edef9c26..270be0a380 100644 --- a/actionview/lib/action_view/template/handlers/erb.rb +++ b/actionview/lib/action_view/template/handlers/erb.rb @@ -14,15 +14,15 @@ module ActionView class_attribute :erb_implementation, default: Erubi # Do not escape templates of these mime types. - class_attribute :escape_permit_list, default: ["text/plain"] + class_attribute :escape_ignore_list, default: ["text/plain"] [self, singleton_class].each do |base| - base.alias_method :escape_whitelist, :escape_permit_list - base.alias_method :escape_whitelist=, :escape_permit_list= + base.send(:alias_method, :escape_whitelist, :escape_ignore_list) + base.send(:alias_method, :escape_whitelist=, :escape_ignore_list=) base.deprecate( - escape_whitelist: 'use #escape_permit_list instead', - :escape_whitelist= => 'use #escape_permit_list= instead' + escape_whitelist: "use #escape_ignore_list instead", + :escape_whitelist= => "use #escape_ignore_list= instead" ) end @@ -57,7 +57,7 @@ module ActionView self.class.erb_implementation.new( erb, - escape: (self.class.escape_permit_list.include? template.type), + escape: (self.class.escape_ignore_list.include? template.type), trim: (self.class.erb_trim_mode == "-") ).src end -- cgit v1.2.3