Skip to content

If passed Range shorthand (duck typed), handle as text #203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

If passed Range shorthand (duck typed), handle as text #203

wants to merge 2 commits into from

Conversation

nacengineer
Copy link

We ran across a weird corner case when using the blacklight and blacklight_range_limit gems. Where if the text passed to sanitize gets duck typed to a range, then an error is raised.

The range will get past the initial short circuit because it's a valid object but then will fail on the empty? call because range doesn't have the method empty? on it.

I've added a few tests as best I could although I might have missed one or two. The modified the checks to handle a range by checking if it's an instance of Range and if so then calling to_s on it so that it can merrily pass along through the sanitization process.

Any input is appreciated.

@nacengineer nacengineer changed the title Add tests for surfacing corner case issue. Check if passed text is a range and if… If passed Range, handle as text Apr 17, 2025
@nacengineer nacengineer changed the title If passed Range, handle as text If passed Range shorthand (duck typed), handle as text Apr 17, 2025
@flavorjones
Copy link
Member

flavorjones commented Apr 20, 2025
edited
Loading

Thanks for opening this PR to discuss what you're seeing.

I'm afraid I don't understand how or why a Range is being passed to the sanitizer, that seems like a bug in the code that's calling the sanitizer. Can you help me understand why you think this should be fixed in rails-html-sanitizer?

@nacengineer
Copy link
Author

nacengineer commented Apr 21, 2025
edited
Loading

oh it's definitely a bug on the blacklight side but I think it highlights an edge case of the sanitization gem as what's being passed is actually just text that is a shorthand range format, e.g. "2001..2005", which is getting duck typed into a range in the santize gem and failing because it passes the truthy test (return unless html) but doesn't pass the empty? test because range doesn't have the empty? method.

@flavorjones
Copy link
Member

@nacengineer Thanks for providing some additional context, but I still don't understand how or why a Range object is being passed to the sanitizer. Maybe if you provided a full reproduction to help me understand why you want to make this change?

Unless you can provide more information to change my mind, I would prefer if we either fixed this by performing a type check and raising an ArgumentError if the input isn't a String, (rather than try to add support for new types) or else just didn't fix it at all (this gem's API has remained unchanged since 2013, and it was extracted from a Rails API that was unchanged before that since at least 2008, so I'm not yet convinced this is really a problem).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@nacengineer @flavorjones