Update sanitizer in ActionView::Helpers::SanitizeHelper

- The sanitizer has been changed to safe_list_sanitizer. - deprecate white_list_sanitizer

Update sanitizer in ActionView::Helpers::SanitizeHelper
- The sanitizer has been changed to safe_list_sanitizer. - deprecate white_list_sanitizer
21da2049 · Juanito Fatas · Kasper Timm Hansen · 6b4de16b · 21da2049 · 21da2049
3 changed file
--- a/actiontext/app/helpers/action_text/content_helper.rb
+++ b/actiontext/app/helpers/action_text/content_helper.rb
@@ -4,7 +4,7 @@

 module ActionText
  module ContentHelper
-    mattr_accessor(:sanitizer) { Rails::Html::Sanitizer.white_list_sanitizer.new }
+    mattr_accessor(:sanitizer) { Rails::Html::Sanitizer.safe_list_sanitizer.new }
    mattr_accessor(:allowed_tags) { sanitizer.class.allowed_tags + [ ActionText::Attachment::TAG_NAME, "figure", "figcaption" ] }
    mattr_accessor(:allowed_attributes) { sanitizer.class.allowed_attributes + ActionText::Attachment::ATTRIBUTES }
    mattr_accessor(:scrubber)

--- a/actionview/CHANGELOG.md
+++ b/actionview/CHANGELOG.md
+*   ActionView::Helpers::SanitizeHelper: support rails-html-sanitizer 1.1.0.
+
+    *Juanito Fatas*
+
+
 ## Rails 6.0.0.rc2 (July 22, 2019) ##

 *   Fix `select_tag` so that it doesn't change `options` when `include_blank` is present.

--- a/actionview/lib/action_view/helpers/sanitize_helper.rb
+++ b/actionview/lib/action_view/helpers/sanitize_helper.rb
@@ -2,6 +2,7 @@

 require "active_support/core_ext/object/try"
 require "rails-html-sanitizer"
+require "active_support/deprecation"

 module ActionView
  # = Action View Sanitize Helpers
@@ -17,7 +18,7 @@ module SanitizeHelper
      # ASCII, and hex character references to work around these protocol filters.
      # All special characters will be escaped.
      #
-      # The default sanitizer is Rails::Html::WhiteListSanitizer. See {Rails HTML
+      # The default sanitizer is Rails::Html::SafeListSanitizer. See {Rails HTML
      # Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
      #
      # Custom sanitization rules can also be provided.
@@ -80,12 +81,12 @@ module SanitizeHelper
      #   config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
      #   config.action_view.sanitized_allowed_attributes = ['href', 'title']
      def sanitize(html, options = {})
-        self.class.white_list_sanitizer.sanitize(html, options).try(:html_safe)
+        self.class.safe_list_sanitizer.sanitize(html, options)&.html_safe
      end

      # Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
      def sanitize_css(style)
-        self.class.white_list_sanitizer.sanitize_css(style)
+        self.class.safe_list_sanitizer.sanitize_css(style)
      end

      # Strips all HTML tags from +html+, including comments and special characters.
@@ -123,20 +124,14 @@ def strip_links(html)
      end

      module ClassMethods #:nodoc:
-        attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
-
-        # Vendors the full, link and white list sanitizers.
-        # Provided strictly for compatibility and can be removed in Rails 6.
-        def sanitizer_vendor
-          Rails::Html::Sanitizer
-        end
+        attr_writer :full_sanitizer, :link_sanitizer, :safe_list_sanitizer

        def sanitized_allowed_tags
-          sanitizer_vendor.white_list_sanitizer.allowed_tags
+          safe_list_sanitizer.allowed_tags
        end

        def sanitized_allowed_attributes
-          sanitizer_vendor.white_list_sanitizer.allowed_attributes
+          safe_list_sanitizer.allowed_attributes
        end

        # Gets the Rails::Html::FullSanitizer instance used by +strip_tags+. Replace with
@@ -145,9 +140,8 @@ def sanitized_allowed_attributes
        #   class Application < Rails::Application
        #     config.action_view.full_sanitizer = MySpecialSanitizer.new
        #   end
-        #
        def full_sanitizer
-          @full_sanitizer ||= sanitizer_vendor.full_sanitizer.new
+          @full_sanitizer ||= Rails::Html::Sanitizer.full_sanitizer.new
        end

        # Gets the Rails::Html::LinkSanitizer instance used by +strip_links+.
@@ -156,20 +150,18 @@ def full_sanitizer
        #   class Application < Rails::Application
        #     config.action_view.link_sanitizer = MySpecialSanitizer.new
        #   end
-        #
        def link_sanitizer
-          @link_sanitizer ||= sanitizer_vendor.link_sanitizer.new
+          @link_sanitizer ||= Rails::Html::Sanitizer.link_sanitizer.new
        end

-        # Gets the Rails::Html::WhiteListSanitizer instance used by sanitize and +sanitize_css+.
+        # Gets the Rails::Html::SafeListSanitizer instance used by sanitize and +sanitize_css+.
        # Replace with any object that responds to +sanitize+.
        #
        #   class Application < Rails::Application
-        #     config.action_view.white_list_sanitizer = MySpecialSanitizer.new
+        #     config.action_view.safe_list_sanitizer = MySpecialSanitizer.new
        #   end
-        #
-        def white_list_sanitizer
-          @white_list_sanitizer ||= sanitizer_vendor.white_list_sanitizer.new
+        def safe_list_sanitizer
+          @safe_list_sanitizer ||= Rails::Html::Sanitizer.safe_list_sanitizer.new
        end
      end
    end