Use Rails::HTML5::Sanitizer when sanitizing HTML

Since we use a version of Loofah supporting HTML5 since db2d0bb80, the `Rails::HTML::Sanitizer.best_supported_vendor` method will return the HTML5 sanitizer. As mentioned in the pull request introducting this change [1], the libxml2 maintainer wrote: > it's still a bad idea to use a 20+ years old, unmaintained HTML 4 > parser to sanitize input for the modern web So we're going with the new default sanitizer. Note we aren't uncommenting the `action_text.sanitizer_vendor` option because we don't use Action Text and so it doesn't affect us , and uncommeting it will raise an error. Also note we need to change one test because the new sanitizer handles whitespace slightly differently. [1] Pull request 48293 in https://github.com/rails/rails
2024-04-15 17:06:58 +02:00
parent 0dec47c055
commit cbf11c2514
2 changed files with 4 additions and 7 deletions
--- a/config/initializers/new_framework_defaults_7_1.rb
+++ b/config/initializers/new_framework_defaults_7_1.rb
@@ -226,7 +226,7 @@ Rails.application.config.active_record.generate_secure_token_on = :initialize
 #
 # In previous versions of Rails, Action View always used `Rails::HTML4::Sanitizer` as its vendor.
 #++
-# Rails.application.config.action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
+Rails.application.config.action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor


 ###