Workaround for encode_special_chars

[TALlama]

I'm trying to take an HTML fragment and output it in a non-HTML context (CSV, to be specific). As such, I want to "slurp out" the text unchanged but strip tags completely, which I used to be able to do but in 1.0.3 I now have to decode HTML entities outside the sanitizer.

Before 1.0.3, You could do:

Rails::Html::FullSanitizer.new.sanitize(%{"I would like," <a href="etc">John</a> said, "a Black & Tan."}, encode_special_chars: false)
=> %{"I would like," John said, "a Black & Tan."}

But now in 1.0.3, there is no way to strip tags without also HTML-encoding the special characters:

Rails::Html::FullSanitizer.new.sanitize(%{"I would like," <a href="etc">John</a> said, "a Black & Tan."}, encode_special_chars: false)
=> "\"I would like,\" John said, \"a Black &amp; Tan.\""

(that encode_special_characters is totally ignored without any warning is also concerning; a deprecation message or an error would be nice)

I understand that this was because we were un-escaping already-escaped special characters, but I don't understand why this means we now have no way to keep our not-escaped special characters not-escaped.

[rafaelfranca]

HTML sanitizing is for HTML contexts. There is not way to safely not escape HTML entities without reintroducing the security issue. You can fallback to loofah if you want to keep this behavior.