railties: configure sanitizer vendor in 7.1 defaults more robustly

Note: this is a manual backport of #51267 as it did not apply cleanly. rails-html-santizer is a dependency of Action View and a transitive dependency of Action Text (via Action Pack), but may not be loaded until after railties sets configuration defaults. This change `require`s rails-html-sanitizer immediately before it's needed, and avoids the possibly-incorrect assumption that Rails::HTML::Sanitizer is already defined. Closes #51246 Co-authored-by: Rafael Mendonça França <rafael@rubyonrails.org> Co-authored-by: Mike Dalessio <mike.dalessio@gmail.com>
rails · Mar 8, 2024 · 5305d2d · 5305d2d
1 parent ce48028
commit 5305d2d
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 7 deletions.
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
@@ -1,3 +1,10 @@
+*   Fix sanitizer vendor configuration in 7.1 defaults.
+
+    In apps where rails-html-sanitizer was not eagerly loaded, the sanitizer default could end up
+    being Rails::HTML4::Sanitizer when it should be set to Rails::HTML5::Sanitizer.
+
+    *Mike Dalessio*, *Rafael Mendonça França*
+
 *   Revert the use of `Concurrent.physical_processor_count` in default Puma config
 
     While for many people this saves one config to set, for many others using

diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
@@ -320,14 +320,14 @@ def load_defaults(target_version)
             action_controller.allow_deprecated_parameters_hash_equality = false
           end
 
-          if defined?(Rails::HTML::Sanitizer) # nested ifs to avoid linter errors
-            if respond_to?(:action_view)
-              action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
-            end
+          if respond_to?(:action_view)
+            require "rails-html-sanitizer"
+            action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
+          end
 
-            if respond_to?(:action_text)
-              action_text.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
-            end
+          if respond_to?(:action_text)
+            require "rails-html-sanitizer"
+            action_text.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
           end
         else
           raise "Unknown version #{target_version.to_s.inspect}"