From cbf11c2514f40873c156a7f7823ac9fe78a37121 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Javi=20Mart=C3=ADn?= <javim@elretirao.net>
Date: Mon, 15 Apr 2024 17:06:58 +0200
Subject: [PATCH] Use Rails::HTML5::Sanitizer when sanitizing HTML

Since we use a version of Loofah supporting HTML5 since db2d0bb80, the
`Rails::HTML::Sanitizer.best_supported_vendor` method will return the
HTML5 sanitizer. As mentioned in the pull request introducting this
change [1], the libxml2 maintainer wrote:

> it's still a bad idea to use a 20+ years old, unmaintained HTML 4
> parser to sanitize input for the modern web

So we're going with the new default sanitizer.

Note we aren't uncommenting the `action_text.sanitizer_vendor` option
because we don't use Action Text and so it doesn't affect us , and
uncommeting it will raise an error.

Also note we need to change one test because the new sanitizer handles
whitespace slightly differently.

[1] Pull request 48293 in https://github.com/rails/rails
---
 config/initializers/new_framework_defaults_7_1.rb | 2 +-
 spec/models/legislation/draft_version_spec.rb     | 9 +++------
 2 files changed, 4 insertions(+), 7 deletions(-)

diff --git a/config/initializers/new_framework_defaults_7_1.rb b/config/initializers/new_framework_defaults_7_1.rb
index 22d75dff7..c874287af 100644
--- a/config/initializers/new_framework_defaults_7_1.rb
+++ b/config/initializers/new_framework_defaults_7_1.rb
@@ -226,7 +226,7 @@ Rails.application.config.active_record.generate_secure_token_on = :initialize
 #
 # In previous versions of Rails, Action View always used `Rails::HTML4::Sanitizer` as its vendor.
 #++
-# Rails.application.config.action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
+Rails.application.config.action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
 
 
 ###
diff --git a/spec/models/legislation/draft_version_spec.rb b/spec/models/legislation/draft_version_spec.rb
index 968824cf1..d9f68891e 100644
--- a/spec/models/legislation/draft_version_spec.rb
+++ b/spec/models/legislation/draft_version_spec.rb
@@ -135,16 +135,14 @@ describe Legislation::DraftVersion do
 
       <p>Something about this.</p>
 
-      <table>
-      <thead>
+      <table><thead>
       <tr>
       <th>id</th>
       <th>name</th>
       <th>age</th>
       <th>gender</th>
       </tr>
-      </thead>
-      <tbody>
+      </thead><tbody>
       <tr>
       <td>1</td>
       <td>Roberta</td>
@@ -157,8 +155,7 @@ describe Legislation::DraftVersion do
       <td>25</td>
       <td>F</td>
       </tr>
-      </tbody>
-      </table>
+      </tbody></table>
     BODY_HTML
   end