Permalink
Browse files

Don't ignore non Enumerable values passed to sanitize (closes #5585)

When someone accidentally passes a string to sanitize like:

sanitize("<span>foo</span>", :tags => "b")

there is no indication that it's the wrong way and span
will not be removed.
  • Loading branch information...
1 parent 4946107 commit 37c84ed877188151c14af2b1401e4f2bd860bdd7 @drogus drogus committed Mar 27, 2012
@@ -5,6 +5,7 @@
module HTML
class Sanitizer
def sanitize(text, options = {})
+ validate_options(options)
return text unless sanitizeable?(text)
tokenize(text, options).join
end
@@ -27,6 +28,16 @@ def tokenize(text, options)
def process_node(node, result, options)
result << node.to_s
end
+
+ def validate_options(options)
+ if options[:tags] && !options[:tags].is_a?(Enumerable)
+ raise ArgumentError, "You should pass :tags as an Enumerable"
+ end
+
+ if options[:attributes] && !options[:attributes].is_a?(Enumerable)
+ raise ArgumentError, "You should pass :attributes as an Enumerable"
+ end
+ end
end
class FullSanitizer < Sanitizer
@@ -125,6 +125,24 @@ def test_should_allow_custom_tags_with_custom_attributes
assert_equal(text, sanitizer.sanitize(text, :attributes => ['foo']))
end
+ def test_should_raise_argument_error_if_tags_is_not_enumerable
+ sanitizer = HTML::WhiteListSanitizer.new
+ e = assert_raise(ArgumentError) do
+ sanitizer.sanitize('', :tags => 'foo')
+ end
+
+ assert_equal "You should pass :tags as an Enumerable", e.message
+ end
+
+ def test_should_raise_argument_error_if_attributes_is_not_enumerable
+ sanitizer = HTML::WhiteListSanitizer.new
+ e = assert_raise(ArgumentError) do
+ sanitizer.sanitize('', :attributes => 'foo')
+ end
+
+ assert_equal "You should pass :attributes as an Enumerable", e.message
+ end
+
[%w(img src), %w(a href)].each do |(tag, attr)|
define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do
assert_sanitized %(<#{tag} #{attr}="javascript:bang" title="1">boo</#{tag}>), %(<#{tag} title="1">boo</#{tag}>)

0 comments on commit 37c84ed

Please sign in to comment.