Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
张重言
rails
提交
2cd4bce8
R
rails
项目概览
张重言
/
rails
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
rails
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
前往新版Gitcode,体验更适合开发者的 AI 搜索 >>
未验证
提交
2cd4bce8
编写于
5月 14, 2019
作者:
J
Juanito Fatas
提交者:
Kasper Timm Hansen
8月 05, 2019
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Update sanitizer in ActionView::Helpers::SanitizeHelper
- The sanitizer has been changed to safe_list_sanitizer.
上级
f64de36c
变更
3
隐藏空白更改
内联
并排
Showing
3 changed file
with
51 addition
and
13 deletion
+51
-13
actiontext/app/helpers/action_text/content_helper.rb
actiontext/app/helpers/action_text/content_helper.rb
+37
-0
actionview/CHANGELOG.md
actionview/CHANGELOG.md
+4
-0
actionview/lib/action_view/helpers/sanitize_helper.rb
actionview/lib/action_view/helpers/sanitize_helper.rb
+10
-13
未找到文件。
actiontext/app/helpers/action_text/content_helper.rb
0 → 100644
浏览文件 @
2cd4bce8
# frozen_string_literal: true
require
"rails-html-sanitizer"
module
ActionText
module
ContentHelper
mattr_accessor
(
:sanitizer
)
{
Rails
::
Html
::
Sanitizer
.
safe_list_sanitizer
.
new
}
mattr_accessor
(
:allowed_tags
)
{
sanitizer
.
class
.
allowed_tags
+
[
ActionText
::
Attachment
::
TAG_NAME
,
"figure"
,
"figcaption"
]
}
mattr_accessor
(
:allowed_attributes
)
{
sanitizer
.
class
.
allowed_attributes
+
ActionText
::
Attachment
::
ATTRIBUTES
}
mattr_accessor
(
:scrubber
)
def
render_action_text_content
(
content
)
sanitize_action_text_content
(
render_action_text_attachments
(
content
))
end
def
sanitize_action_text_content
(
content
)
sanitizer
.
sanitize
(
content
.
to_html
,
tags:
allowed_tags
,
attributes:
allowed_attributes
,
scrubber:
scrubber
).
html_safe
end
def
render_action_text_attachments
(
content
)
content
.
render_attachments
do
|
attachment
|
unless
attachment
.
in?
(
content
.
gallery_attachments
)
attachment
.
node
.
tap
do
|
node
|
node
.
inner_html
=
render
(
attachment
,
in_gallery:
false
).
chomp
end
end
end
.
render_attachment_galleries
do
|
attachment_gallery
|
render
(
layout:
attachment_gallery
,
object:
attachment_gallery
)
do
attachment_gallery
.
attachments
.
map
do
|
attachment
|
attachment
.
node
.
inner_html
=
render
(
attachment
,
in_gallery:
true
).
chomp
attachment
.
to_html
end
.
join
(
""
).
html_safe
end
.
chomp
end
end
end
end
actionview/CHANGELOG.md
浏览文件 @
2cd4bce8
*
ActionView::Helpers::SanitizeHelper: support rails-html-sanitizer 1.1.0.
*Juanito Fatas*
*
Allow programmatic click events to trigger Rails UJS click handlers.
Programmatic click events (eg. ones generated by
`Rails.fire(link, "click")`
) don't specify a button. These events were being incorrectly stopped by code meant to ignore scroll wheel and right clicks introduced in #34573.
...
...
actionview/lib/action_view/helpers/sanitize_helper.rb
浏览文件 @
2cd4bce8
...
...
@@ -17,7 +17,7 @@ module SanitizeHelper
# ASCII, and hex character references to work around these protocol filters.
# All special characters will be escaped.
#
# The default sanitizer is Rails::Html::
Whit
eListSanitizer. See {Rails HTML
# The default sanitizer is Rails::Html::
Saf
eListSanitizer. See {Rails HTML
# Sanitizers}[https://github.com/rails/rails-html-sanitizer] for more information.
#
# Custom sanitization rules can also be provided.
...
...
@@ -80,12 +80,12 @@ module SanitizeHelper
# config.action_view.sanitized_allowed_tags = ['strong', 'em', 'a']
# config.action_view.sanitized_allowed_attributes = ['href', 'title']
def
sanitize
(
html
,
options
=
{})
self
.
class
.
whit
e_list_sanitizer
.
sanitize
(
html
,
options
).
try
(
:html_safe
)
self
.
class
.
saf
e_list_sanitizer
.
sanitize
(
html
,
options
).
try
(
:html_safe
)
end
# Sanitizes a block of CSS code. Used by +sanitize+ when it comes across a style attribute.
def
sanitize_css
(
style
)
self
.
class
.
whit
e_list_sanitizer
.
sanitize_css
(
style
)
self
.
class
.
saf
e_list_sanitizer
.
sanitize_css
(
style
)
end
# Strips all HTML tags from +html+, including comments and special characters.
...
...
@@ -123,7 +123,7 @@ def strip_links(html)
end
module
ClassMethods
#:nodoc:
attr_writer
:full_sanitizer
,
:link_sanitizer
,
:
whit
e_list_sanitizer
attr_writer
:full_sanitizer
,
:link_sanitizer
,
:
saf
e_list_sanitizer
# Vendors the full, link and white list sanitizers.
# Provided strictly for compatibility and can be removed in Rails 5.1.
...
...
@@ -132,11 +132,11 @@ def sanitizer_vendor
end
def
sanitized_allowed_tags
sanitizer_vendor
.
whit
e_list_sanitizer
.
allowed_tags
sanitizer_vendor
.
saf
e_list_sanitizer
.
allowed_tags
end
def
sanitized_allowed_attributes
sanitizer_vendor
.
whit
e_list_sanitizer
.
allowed_attributes
sanitizer_vendor
.
saf
e_list_sanitizer
.
allowed_attributes
end
# Gets the Rails::Html::FullSanitizer instance used by +strip_tags+. Replace with
...
...
@@ -145,7 +145,6 @@ def sanitized_allowed_attributes
# class Application < Rails::Application
# config.action_view.full_sanitizer = MySpecialSanitizer.new
# end
#
def
full_sanitizer
@full_sanitizer
||=
sanitizer_vendor
.
full_sanitizer
.
new
end
...
...
@@ -156,20 +155,18 @@ def full_sanitizer
# class Application < Rails::Application
# config.action_view.link_sanitizer = MySpecialSanitizer.new
# end
#
def
link_sanitizer
@link_sanitizer
||=
sanitizer_vendor
.
link_sanitizer
.
new
end
# Gets the Rails::Html::
Whit
eListSanitizer instance used by sanitize and +sanitize_css+.
# Gets the Rails::Html::
Saf
eListSanitizer instance used by sanitize and +sanitize_css+.
# Replace with any object that responds to +sanitize+.
#
# class Application < Rails::Application
# config.action_view.
whit
e_list_sanitizer = MySpecialSanitizer.new
# config.action_view.
saf
e_list_sanitizer = MySpecialSanitizer.new
# end
#
def
white_list_sanitizer
@white_list_sanitizer
||=
sanitizer_vendor
.
white_list_sanitizer
.
new
def
safe_list_sanitizer
@safe_list_sanitizer
||=
sanitizer_vendor
.
safe_list_sanitizer
.
new
end
end
end
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录