Merge pull request #92 from JuanitoFatas/link-sanitizer

Remove href from LinkSanitizer tags list
rails · May 22, 2019 · c5912e7 · c5912e7
2 parents 2191bfe + 5d735a7
commit c5912e7
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 10 deletions.
diff --git a/lib/rails/html/sanitizer.rb b/lib/rails/html/sanitizer.rb
@@ -40,15 +40,16 @@ def sanitize(html, options = {})
     end
 
     # === Rails::Html::LinkSanitizer
-    # Removes a tags and href attributes leaving only the link text
+    # Removes +a+ tags and +href+ attributes leaving only the link text.
     #
-    # link_sanitizer = Rails::Html::LinkSanitizer.new
-    # link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
-    # # => Only the link text will be kept.
+    #  link_sanitizer = Rails::Html::LinkSanitizer.new
+    #  link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
+    #
+    #  => 'Only the link text will be kept.'
     class LinkSanitizer < Sanitizer
       def initialize
         @link_scrubber = TargetScrubber.new
-        @link_scrubber.tags = %w(a href)
+        @link_scrubber.tags = %w(a)
         @link_scrubber.attributes = %w(href)
       end
 
@@ -146,7 +147,7 @@ def allowed_tags(options)
 
       def allowed_attributes(options)
         options[:attributes] || self.class.allowed_attributes
-      end      
+      end
     end
 
     WhiteListSanitizer = SafeListSanitizer

diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
@@ -154,10 +154,6 @@ def test_strip_links_with_linkception
     assert_equal "Magic", link_sanitize("<a href='http://www.rubyonrails.com/'>Mag<a href='http://www.ruby-lang.org/'>ic")
   end
 
-  def test_strip_links_with_a_tag_in_href
-    assert_equal "FrrFox", link_sanitize("<href onlclick='steal()'>FrrFox</a></href>")
-  end
-
   def test_sanitize_form
     assert_sanitized "<form action=\"/foo/bar\" method=\"post\"><input></form>", ''
   end