-
Notifications
You must be signed in to change notification settings - Fork 21.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prepare for partial release. #16525
Prepare for partial release. #16525
Conversation
I don't understand why the build failed. I've added 'rails-deprecated_sanitizer' as a dependency. Shouldn't that make it work? |
ah, the gem is unreleased. |
The new version updates `sanitize`, so it can take a `Loofah::Scrubber` for powerful scrubbing. | ||
[See some examples of scrubbers here](https://github.com/flavorjones/loofah#loofahscrubber). | ||
|
||
Two new scrubbers have also been added, they are `PermitScrubber` and `TargetScrubber`. Read more about in the [gems readme](https://github.com/rails/rails-html-sanitizer). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe you could write:
Two new scrubbers have also been added:
PermitScrubber
andTargetScrubber
. For further information, you can read the gem's readme.
Also could you please wrap your additions around 80 chars ? Thank you so far ! :-)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I hope I did it right. Thanks, Robin.
- Default to Rails::DeprecatedSanitizer in ActionView::Helpers::SanitizeHelper. - Add upgrade notes. - Add sanitizer to new applications Gemfiles. - Remove 'rails-dom-testing' as a dependency.
Has the gem been released yet? |
on it. |
Prepare for partial release.
❤️ |
Read the [gem's readme](https://github.com/rails/rails-html-sanitizer) for more information. | ||
|
||
The documentation for `PermitScrubber` and `TargetScrubber` explains how you | ||
can gain complete control over when and how elements should be stripped. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kaspth do we print a deprecation message for this? would be nice if we can figure out a sensible place to do this, so that...
- People who don't use the
sanitize
helpers at all will not see the warning - People who use the old default will be nagged about the switch in the next version
- People who have the new gem installed will not see the warning
Similar to #16537. wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Inserting a deprecation message here would satisfy those three constraints: https://github.com/rails/rails-deprecated_sanitizer/blob/master/lib/rails/deprecated_sanitizer/html-scanner/html/sanitizer.rb#L7
The subclasses super
this method (or don't override it) and is therefore called on every sanitize
call when using the deprecated behavior.
Here's a PR for this: kaspth/rails-deprecated_sanitizer/pull/4
Rails::DeprecatedSanitizer
inActionView::Helpers::SanitizeHelper
.