Pass options to the text method.

[kaspth]

Fixes #31.

This lets us avoid encoding special chars twice in Rails as strip_tags could be written as:

def strip_tags(html)
  self.class.full_sanitizer.sanitize(html, encode_special_chars: false) # let Rails handle escaping.
end

I didn't document this option as it's really for our internal use. But there's a potential security vector we have to take into account here.

Alternatively, I guess we could just call html_safe in strip_tags, but that makes me feel uneasy too.

cc @rafaelfranca

[rafaelfranca]

[kaspth]

Great, once the other issue is sorted we can bump the version number and ship a new release. Then I'll submit a PR to Rails to use this 😉

[kaspth]

It'll make it into 4.2.2, right?

[rafaelfranca]

Right

[kaspth]

Submitted rails/rails#19252 to add the binding on Rails' side.

[mtarnovan]

@rafaelfranca Looks like 4.2.2 was release without this fix.

[kaspth]

@mtarnovan 4.2.2 was a security release. Those should have the fewest number of changes to make them as easy as possible to upgrade to.
This'll in the next bug fix release for 4.2.

[mtarnovan]

@kaspth I see, thanks.

[optimum-dulopin]

i use rails 4.2.5.1 and there is still this bug

[geoffevason]

@optimum-dulopin I don't think this is considered a bug anymore. Although #35 originally solved the issue, it was undone here 49dfc15

Basically:

Loofah.fragment("&").text(encode_special_chars: false) => "&"  # Yay - this is  the way it used to be!
Loofah.fragment("&lt;script&gt;").text(encode_special_chars: false) => "<script>" # uh-oh - this would let anyone inject so we can't use encode_special_chars

Perhaps the bug is Loofah's use of encode_special_chars: false to actually unencoded encoded strings - I'm still trying to figure that out myself...