Don't ignore non Enumerable values passed to sanitize (closes #5585)

When someone accidentally passes a string to sanitize like: sanitize("<span>foo</span>", :tags => "b") there is no indication that it's the wrong way and span will not be removed.
rails · Mar 27, 2012 · 37c84ed · 37c84ed
1 parent 4946107
commit 37c84ed
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 0 deletions.
diff --git a/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb b/actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb
@@ -5,6 +5,7 @@
 module HTML
   class Sanitizer
     def sanitize(text, options = {})
+      validate_options(options)
       return text unless sanitizeable?(text)
       tokenize(text, options).join
     end
@@ -27,6 +28,16 @@ def tokenize(text, options)
     def process_node(node, result, options)
       result << node.to_s
     end
+
+    def validate_options(options)
+      if options[:tags] && !options[:tags].is_a?(Enumerable)
+        raise ArgumentError, "You should pass :tags as an Enumerable"
+      end
+
+      if options[:attributes] && !options[:attributes].is_a?(Enumerable)
+        raise ArgumentError, "You should pass :attributes as an Enumerable"
+      end
+    end
   end
 
   class FullSanitizer < Sanitizer

diff --git a/actionpack/test/template/html-scanner/sanitizer_test.rb b/actionpack/test/template/html-scanner/sanitizer_test.rb
@@ -125,6 +125,24 @@ def test_should_allow_custom_tags_with_custom_attributes
     assert_equal(text, sanitizer.sanitize(text, :attributes => ['foo']))
   end
 
+  def test_should_raise_argument_error_if_tags_is_not_enumerable
+    sanitizer = HTML::WhiteListSanitizer.new
+    e = assert_raise(ArgumentError) do
+      sanitizer.sanitize('', :tags => 'foo')
+    end
+
+    assert_equal "You should pass :tags as an Enumerable", e.message
+  end
+
+  def test_should_raise_argument_error_if_attributes_is_not_enumerable
+    sanitizer = HTML::WhiteListSanitizer.new
+    e = assert_raise(ArgumentError) do
+      sanitizer.sanitize('', :attributes => 'foo')
+    end
+
+    assert_equal "You should pass :attributes as an Enumerable", e.message
+  end
+
   [%w(img src), %w(a href)].each do |(tag, attr)|
     define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do
       assert_sanitized %(<#{tag} #{attr}="javascript:bang" title="1">boo</#{tag}>), %(<#{tag} title="1">boo</#{tag}>)