From 504a9715ee60f0bc1bf67d6e81640e9bb6f29dfc Mon Sep 17 00:00:00 2001 From: Andrew Hood Date: Mon, 27 Feb 2017 10:51:26 -0800 Subject: Remove `encode_special_chars` option from `strip_tags` --- actionview/CHANGELOG.md | 7 +++++++ actionview/lib/action_view/helpers/sanitize_helper.rb | 14 ++++++++++---- actionview/test/template/sanitize_helper_test.rb | 2 ++ 3 files changed, 19 insertions(+), 4 deletions(-) (limited to 'actionview') diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md index f5d2c9f23b..f2ae74454a 100644 --- a/actionview/CHANGELOG.md +++ b/actionview/CHANGELOG.md @@ -1,3 +1,10 @@ +* Remove the option `encode_special_chars` misnomer from `strip_tags` + + As of rails-html-sanitizer v1.0.3 sanitizer will ignore the + `encode_special_chars` option. Fixes #28060. + + *Andrew Hood* + ## Rails 5.1.0.beta1 (February 23, 2017) ## * Change the ERB handler from Erubis to Erubi. diff --git a/actionview/lib/action_view/helpers/sanitize_helper.rb b/actionview/lib/action_view/helpers/sanitize_helper.rb index 1e9b813d3d..0abd5bc5dc 100644 --- a/actionview/lib/action_view/helpers/sanitize_helper.rb +++ b/actionview/lib/action_view/helpers/sanitize_helper.rb @@ -13,6 +13,7 @@ module ActionView # It also strips href/src attributes with unsafe protocols like # javascript:, while also protecting against attempts to use Unicode, # ASCII, and hex character references to work around these protocol filters. + # All special characters will be escaped. # # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information. @@ -20,8 +21,7 @@ module ActionView # Custom sanitization rules can also be provided. # # Please note that sanitizing user-provided text does not guarantee that the - # resulting markup is valid or even well-formed. For example, the output may still - # contain unescaped characters like <, >, or &. + # resulting markup is valid or even well-formed. # # ==== Options # @@ -86,7 +86,7 @@ module ActionView self.class.white_list_sanitizer.sanitize_css(style) end - # Strips all HTML tags from +html+, including comments. + # Strips all HTML tags from +html+, including comments and special characters. # # strip_tags("Strip these tags!") # # => Strip these tags! @@ -96,8 +96,11 @@ module ActionView # # strip_tags("
Welcome to my website!
") # # => Welcome to my website! + # + # strip_tags("> A quote from Smith & Wesson") + # # => > A quote from Smith & Wesson def strip_tags(html) - self.class.full_sanitizer.sanitize(html, encode_special_chars: false) + self.class.full_sanitizer.sanitize(html) end # Strips all link tags from +html+ leaving just the link text. @@ -110,6 +113,9 @@ module ActionView # # strip_links('Blog: Visit.') # # => Blog: Visit. + # + # strip_links('<malformed & link') + # # => <malformed & link def strip_links(html) self.class.link_sanitizer.sanitize(html) end diff --git a/actionview/test/template/sanitize_helper_test.rb b/actionview/test/template/sanitize_helper_test.rb index c8963fee9c..11ed55456f 100644 --- a/actionview/test/template/sanitize_helper_test.rb +++ b/actionview/test/template/sanitize_helper_test.rb @@ -10,6 +10,7 @@ class SanitizeHelperTest < ActionView::TestCase assert_equal "on my mind\nall day long", strip_links("on my mind\nall day long") assert_equal "Magic", strip_links("Magic") assert_equal "My mind\nall day long", strip_links("My mind\nall day long") + assert_equal "<malformed & link", strip_links('<malformed & link') end def test_sanitize_form @@ -26,6 +27,7 @@ class SanitizeHelperTest < ActionView::TestCase assert_equal("Dont touch me", strip_tags("Dont touch me")) assert_equal("This is a test.", strip_tags("

This is a test.

")) assert_equal "This has a here.", strip_tags("This has a here.") + assert_equal("Jekyll & Hyde", strip_tags("Jekyll & Hyde")) assert_equal "", strip_tags("