href is not a HTML element

Juanito Fatas · Juanito Fatas · commit 2523282e1e49 · 2019-05-10T15:15:08.000+09:00
https://developer.mozilla.org/en-US/docs/Web/HTML/Element
diff --git a/lib/rails/html/sanitizer.rb b/lib/rails/html/sanitizer.rb
@@ -48,7 +48,7 @@ def sanitize(html, options = {})
     class LinkSanitizer < Sanitizer
       def initialize
         @link_scrubber = TargetScrubber.new
-        @link_scrubber.tags = %w(a href)
+        @link_scrubber.tags = %w(a)
         @link_scrubber.attributes = %w(href)
       end
 
@@ -146,7 +146,7 @@ def allowed_tags(options)
 
       def allowed_attributes(options)
         options[:attributes] || self.class.allowed_attributes
-      end      
+      end
     end
 
     WhiteListSanitizer = SafeListSanitizer
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
@@ -154,10 +154,6 @@ def test_strip_links_with_linkception
     assert_equal "Magic", link_sanitize("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")
   end
 
-  def test_strip_links_with_a_tag_in_href
-    assert_equal "FrrFox", link_sanitize("<href onlclick='steal()'>FrrFox</a></href>")
-  end
-
   def test_sanitize_form
     assert_sanitized "<form action=\"/foo/bar\" method=\"post\"><input></form>", ''
   end
