Skip to content

If passed Range shorthand (duck typed), handle as text #203

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

If passed Range shorthand (duck typed), handle as text #203

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
e46ad49
add tests for surfacing issue, check if passed text is a range and if…
nacengineer Apr 17, 2025
28f07a3
test against ranges created with Range.new, standardize range dates
nacengineer Apr 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions lib/rails/html/sanitizer.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@ module Concern
module ComposedSanitize
def sanitize(html, options = {})
return unless html
html = html.instance_of?(Range) ? html.to_s : html
return html if html.empty?

serialize(scrub(parse_fragment(html), options))
Expand Down
34 changes: 33 additions & 1 deletion test/sanitizer_test.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,16 @@ def test_strip_cdata
assert_includes(acceptable_results, result)
end

def test_strip_passed_passed_duck_typed_range
input = 2001..2005
result = full_sanitize(input)
acceptable_results = [
"2001..2005",
]

assert_includes(acceptable_results, result)
end

def test_strip_blank_string
assert_nil full_sanitize(nil)
assert_equal "", full_sanitize("")
Expand Down Expand Up @@ -211,6 +221,11 @@ def test_strip_links_with_unclosed_tags
assert_equal "", link_sanitize("<a<a")
end

def test_strip_links_with_passed_duck_typed_range
assert_equal "2001..2005", link_sanitize(Range.new(2001, 2005))
assert_equal "2001..2005", link_sanitize(2001..2005)
end

def test_strip_links_with_plaintext
assert_equal "Don't touch me", link_sanitize("Don't touch me")
end
Expand Down Expand Up @@ -295,6 +310,11 @@ def test_sanitize_form
assert_sanitized "<form action=\"/foo/bar\" method=\"post\"><input></form>", ""
end

def test_sanitize_passed_duck_typed_range
assert_sanitized Range.new(2001, 2005), "2001..2005"
assert_sanitized 2001..2005, "2001..2005"
end

def test_sanitize_plaintext
# note that the `plaintext` tag has been deprecated since HTML 2
# https://developer.mozilla.org/en-US/docs/Web/HTML/Element/plaintext
Expand All @@ -306,7 +326,19 @@ def test_sanitize_plaintext
# xerces+nekohtml-unit
"&lt;span&gt;foo&lt;/span&gt;&lt;/plaintext&gt;",
# xerces+cyberneko
"&lt;span&gt;foo&lt;/span&gt;"
"&lt;span&gt;foo&lt;/span&gt;",
]

assert_includes(acceptable_results, result)
end

def test_safe_sanitize_passed_duck_typed_range
# note that the `plaintext` tag has been deprecated since HTML 2
# https://developer.mozilla.org/en-US/docs/Web/HTML/Element/plaintext
input = 2001..2005
result = safe_list_sanitize(input)
acceptable_results = [
"2001..2005",
]

assert_includes(acceptable_results, result)
Expand Down
Loading