Permalink
Browse files

turning overkill sanitization and fixing bugs in logic for do_not_san…

…itize override
  • Loading branch information...
1 parent df939c5 commit 4ac65fa1722d8dc49070107a395d04601db3fb2f Walter McGinnis committed Mar 5, 2008
Showing with 5 additions and 3 deletions.
  1. +5 −3 lib/validates_as_sanitized_html.rb
@@ -12,7 +12,7 @@ def validates_as_sanitized_html(*attr_names)
validates_each(attr_names, configuration) do |record, attr_name, value|
# allow for turning off sanitization on a record by record basis
# via virtual attribute on record
- do_not_sanitize = !record.do_not_sanitize.nil? && (record.do_not_sanitize == true || record.do_not_sanitize == 1) ? true : false
+ do_not_sanitize = !record.do_not_sanitize.nil? && record.do_not_sanitize.to_s != 'false' && (record.do_not_sanitize.to_s == 'true' || record.do_not_sanitize.to_i == 1) ? true : false
unless do_not_sanitize
# TODO: see if we can reuse sanitization
# from rail's html/sanitize or helpers/sanitize_helper
@@ -22,8 +22,10 @@ def validates_as_sanitized_html(*attr_names)
record.errors.add(attr_name,
": we aren't currently allowing forms or javascript in submitted HTML for security reasons.")
else
- new_value = Hpricot(value).to_html
- record.errors.add(attr_name, ": is not valid html. It looks like you didn't close all your tags.") if new_value != value
+ # Walter McGinnis, 2008-02-04
+ # this is not accurate enough, get false positives
+ # new_value = Hpricot(value).to_html
+ # record.errors.add(attr_name, ": is not valid html. It looks like you didn't close all your tags.") if new_value != value
end
end
end

0 comments on commit 4ac65fa

Please sign in to comment.