diff --git a/lib/sanitize/rails/engine.rb b/lib/sanitize/rails/engine.rb
index c8cb531..43cfdc7 100644
--- a/lib/sanitize/rails/engine.rb
+++ b/lib/sanitize/rails/engine.rb
@@ -26,7 +26,8 @@ def config
@_config ||= {
:elements => ::ActionView::Base.sanitized_allowed_tags.to_a,
:attributes => { :all => ::ActionView::Base.sanitized_allowed_attributes.to_a },
- :protocols => { :all => ::ActionView::Base.sanitized_allowed_protocols.to_a }
+ :protocols => { :all => ::ActionView::Base.sanitized_allowed_protocols.to_a },
+ :entities_whitelist => {}
}
end
else
@@ -64,7 +65,7 @@ def callback_for(options) #:nodoc:
point = (options[:on] || 'save').to_s
unless %w( save create ).include?(point)
- raise ArgumentError, "Invalid callback point #{point}, valid ones are :save and :create"
+ raise ArgumentError, "Invalid callback point #{point}, valid ones are :save and :create"
end
"before_#{point}".intern
@@ -76,8 +77,16 @@ def method_for(fields) #:nodoc:
private
+ def decode_whitelistested_entities(string)
+ @_config[:entities_whitelist].each do |entity, decoded_value|
+ string.gsub!(entity.to_s, decoded_value.to_s)
+ end
+ string
+ end
+
def cleaned_fragment(string)
- cleaner.fragment(string)
+ sanitized_string = cleaner.fragment(string)
+ decode_whitelistested_entities(sanitized_string) unless @_config[:entities_whitelist].empty?
end
end
end
diff --git a/test/sanitize_rails_engine_test.rb b/test/sanitize_rails_engine_test.rb
index 0da14c3..e27972b 100644
--- a/test/sanitize_rails_engine_test.rb
+++ b/test/sanitize_rails_engine_test.rb
@@ -53,6 +53,13 @@ def test_clean_not_producing_malicious_html_entities
assert_equal string, "<script>hello & world</script>"
end
+ def test_clean_not_making_explicit_html_entities
+ string = %Q||
+ @engine.configure(entities_whitelist: { '&': '&' })
+ @engine.clean! string
+ assert_equal string, "hello & world"
+ end
+
def test_clean_making_html_entities
string = %Q||
@engine.clean! string