From e46ad490095e2043087534cbe1446a29f7022354 Mon Sep 17 00:00:00 2001 From: David Southard Date: Thu, 17 Apr 2025 12:03:26 -0500 Subject: [PATCH 1/2] add tests for surfacing issue, check if passed text is a range and if so change to string --- lib/rails/html/sanitizer.rb | 1 + test/sanitizer_test.rb | 32 +++++++++++++++++++++++++++++++- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/lib/rails/html/sanitizer.rb b/lib/rails/html/sanitizer.rb index ffe131d..4f30f4b 100644 --- a/lib/rails/html/sanitizer.rb +++ b/lib/rails/html/sanitizer.rb @@ -34,6 +34,7 @@ module Concern module ComposedSanitize def sanitize(html, options = {}) return unless html + html = html.instance_of?(Range) ? html.to_s : html return html if html.empty? serialize(scrub(parse_fragment(html), options)) diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb index f78cd62..1b9a920 100644 --- a/test/sanitizer_test.rb +++ b/test/sanitizer_test.rb @@ -137,6 +137,16 @@ def test_strip_cdata assert_includes(acceptable_results, result) end + def test_strip_passed_passed_duck_typed_range + input = 2000..2005 + result = full_sanitize(input) + acceptable_results = [ + "2000..2005", + ] + + assert_includes(acceptable_results, result) + end + def test_strip_blank_string assert_nil full_sanitize(nil) assert_equal "", full_sanitize("") @@ -211,6 +221,10 @@ def test_strip_links_with_unclosed_tags assert_equal "", link_sanitize("", "" end + def test_sanitize_passed_duck_typed_range + assert_sanitized 2001..2005, "2001..2005" + end + def test_sanitize_plaintext # note that the `plaintext` tag has been deprecated since HTML 2 # https://developer.mozilla.org/en-US/docs/Web/HTML/Element/plaintext @@ -306,7 +324,19 @@ def test_sanitize_plaintext # xerces+nekohtml-unit "<span>foo</span></plaintext>", # xerces+cyberneko - "<span>foo</span>" + "<span>foo</span>", + ] + + assert_includes(acceptable_results, result) + end + + def test_safe_sanitize_passed_duck_typed_range + # note that the `plaintext` tag has been deprecated since HTML 2 + # https://developer.mozilla.org/en-US/docs/Web/HTML/Element/plaintext + input = 2001..2005 + result = safe_list_sanitize(input) + acceptable_results = [ + "2001..2005", ] assert_includes(acceptable_results, result) From 28f07a3af9a43fe44b38a4c81919851267ab4958 Mon Sep 17 00:00:00 2001 From: David Southard Date: Thu, 17 Apr 2025 14:03:45 -0500 Subject: [PATCH 2/2] test against ranges created with Range.new, standardize range dates --- test/sanitizer_test.rb | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb index 1b9a920..35f8663 100644 --- a/test/sanitizer_test.rb +++ b/test/sanitizer_test.rb @@ -138,10 +138,10 @@ def test_strip_cdata end def test_strip_passed_passed_duck_typed_range - input = 2000..2005 + input = 2001..2005 result = full_sanitize(input) acceptable_results = [ - "2000..2005", + "2001..2005", ] assert_includes(acceptable_results, result) @@ -222,6 +222,7 @@ def test_strip_links_with_unclosed_tags end def test_strip_links_with_passed_duck_typed_range + assert_equal "2001..2005", link_sanitize(Range.new(2001, 2005)) assert_equal "2001..2005", link_sanitize(2001..2005) end @@ -310,6 +311,7 @@ def test_sanitize_form end def test_sanitize_passed_duck_typed_range + assert_sanitized Range.new(2001, 2005), "2001..2005" assert_sanitized 2001..2005, "2001..2005" end