flavorjones
commented
1 year ago Actions isn't working well, but I kicked off a manual run of CI on this PR at https://github.com/rails/rails-html-sanitizer/actions/runs/4948930151 which is green.
Closed flavorjones closed 1 year ago
flavorjones
commented
1 year ago Actions isn't working well, but I kicked off a manual run of CI on this PR at https://github.com/rails/rails-html-sanitizer/actions/runs/4948930151 which is green.
Preparing for a larger refactor related to HTML5 parsing support, this PR started as backfilling test coverage for the default safelist.
public API changes
timetag is now allowed by default (note that thedatetimeattribute was already allowed, and that attribute is only valid in atimetag)langattribute is now allowed by default (note that thexml:langattribute was already allowed, and that attribute is only valid if there is also a matchinglangattribute)Rails::Html::XPATHS_TO_REMOVEconstant is removedNote that
timetag andlangattribute are safe and are already allowed by Loofah, DOMPurify, and other common sanitizers.The
XPATHS_TO_REMOVEconstant was public, but probably should have been a private constant (an implementation detail) all along. It's possible that removing it might break somebody who's monkeypatching the sanitizer, but really they should be usingSafeListSanitizer'sallowed_tagsandallowed_attributesattrs instead of changing the value of this constant.test suite changes
Within the test suite, I've also made the following changes:
assert_dom_equalwhich was obfuscating what is being tested