From 6241bb8cf45979cc9ffaa916ed83e7cc6b48a38e Mon Sep 17 00:00:00 2001
From: Timm <kaspth@gmail.com>
Date: Mon, 15 Jul 2013 21:54:43 +0200
Subject: Added ability to pass a custom scrubber to sanitize. Includes test
 coverage.

---
 .../helpers/sanitize_helper/sanitizers.rb          |  4 ++-
 actionview/test/template/sanitizers_test.rb        | 36 ++++++++++++++++++++++
 2 files changed, 39 insertions(+), 1 deletion(-)

(limited to 'actionview')

diff --git a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb
index af0aa12349..eab6d6a515 100644
--- a/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb
+++ b/actionview/lib/action_view/helpers/sanitize_helper/sanitizers.rb
@@ -56,7 +56,9 @@ module ActionView
       return nil unless html
 
       loofah_fragment = Loofah.fragment(html)
-      if options[:tags] || options[:attributes]
+      if scrubber = options[:scrubber] # Loofah makes sure this is a scrubber
+        loofah_fragment.scrub!(scrubber)
+      elsif options[:tags] || options[:attributes]
         @permit_scrubber.tags = options[:tags]
         @permit_scrubber.attributes = options[:attributes]
         loofah_fragment.scrub!(@permit_scrubber)
diff --git a/actionview/test/template/sanitizers_test.rb b/actionview/test/template/sanitizers_test.rb
index 8b91dd9c5a..9d64a659b1 100644
--- a/actionview/test/template/sanitizers_test.rb
+++ b/actionview/test/template/sanitizers_test.rb
@@ -222,6 +222,42 @@ class SanitizersTest < ActionController::TestCase
     assert_equal "You should pass :attributes as an Enumerable", e.message
   end
 
+  def test_should_not_accept_non_loofah_inheriting_scrubber
+    sanitizer = ActionView::WhiteListSanitizer.new
+    scrubber = Object.new
+    scrubber.class_eval do
+      def scrub(node); node.name = 'h1'; end
+    end
+
+    assert_raise Loofah::ScrubberNotFound do
+      sanitizer.sanitize('', :scrubber => scrubber)
+    end
+  end
+
+  def test_should_accept_loofah_inheriting_scrubber
+    sanitizer = ActionView::WhiteListSanitizer.new
+    scrubber = Loofah::Scrubber.new
+    scrubber.class_eval do
+      def scrub(node); node.name = 'h1'; end
+    end
+    html = "<script>hello!</script>"
+    assert_equal "<h1>hello!</h1>", sanitizer.sanitize(html, :scrubber => scrubber)
+  end
+
+  def test_should_accept_loofah_scrubber_that_wraps_a_block
+    sanitizer = ActionView::WhiteListSanitizer.new
+    scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
+    html = "<script>hello!</script>"
+    assert_equal "<h1>hello!</h1>", sanitizer.sanitize(html, :scrubber => scrubber)
+  end
+
+  def test_custom_scrubber_takes_precedence_over_other_options
+    sanitizer = ActionView::WhiteListSanitizer.new
+    scrubber = Loofah::Scrubber.new { |node| node.name = 'h1' }
+    html = "<script>hello!</script>"
+    assert_equal "<h1>hello!</h1>", sanitizer.sanitize(html, :scrubber => scrubber, :tags => ['foo'])
+  end
+
   [%w(img src), %w(a href)].each do |(tag, attr)|
     define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do
       assert_sanitized %(<#{tag} #{attr}="javascript:bang" title="1">boo</#{tag}>), %(<#{tag} title="1">boo</#{tag}>)
-- 
cgit v1.2.3