[openstreetmap/openstreetmap-website] Sanitize classes from outputs (#3149)

Andy Allan notifications at github.com
Wed Mar 24 19:21:55 UTC 2021

There are an endless amount of shenanigans that you can get up to using CSS classes. Examples are available privately on request.

This PR makes a few related changes:

* Adds tests for adding classes to table elements
* Refactors the configuration setup for the sanitize gem (although it turned out not to be necessary for this particular task)
* Strip away all class attributes from the output, by extending our custom transformer, to prevent shenanigans.
You can view, comment on, or merge this pull request online at:


-- Commit Summary --

  * Add tests for richtext table classes
  * Rework configuration to use Sanitize::Config.merge
  * Strip away class attributes from sanitized outputs

-- File Changes --

    M config/initializers/sanitize.rb (18)
    M test/lib/rich_text_test.rb (23)

-- Patch Links --


You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstreetmap.org/pipermail/rails-dev/attachments/20210324/50df2c48/attachment.htm>

More information about the rails-dev mailing list