Merge pull request rails#51267 from flavorjones/flavorjones-51246-rai…

…ls-html-sanitizer railties: configure sanitizer vendor in 7.1 defaults more robustly
JoeDupuis · Mar 8, 2024 · 029d31c · 029d31c
2 parents 82e3252 + 8957ba5
commit 029d31c
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 7 deletions.
diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md
@@ -1,3 +1,10 @@
+*   Fix sanitizer vendor configuration in 7.1 defaults.
+
+    In apps where rails-html-sanitizer was not eagerly loaded, the sanitizer default could end up
+    being Rails::HTML4::Sanitizer when it should be set to Rails::HTML5::Sanitizer.
+
+    *Mike Dalessio*, *Rafael Mendonça França*
+
 *   Set `action_mailer.default_url_options` values in `development` and `test`.
 
     Prior to this commit, new Rails applications would raise `ActionView::Template::Error`

diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb
@@ -310,14 +310,14 @@ def load_defaults(target_version)
             active_support.raise_on_invalid_cache_expiration_time = true
           end
 
-          if defined?(Rails::HTML::Sanitizer) # nested ifs to avoid linter errors
-            if respond_to?(:action_view)
-              action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
-            end
+          if respond_to?(:action_view)
+            require "rails-html-sanitizer"
+            action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
+          end
 
-            if respond_to?(:action_text)
-              action_text.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
-            end
+          if respond_to?(:action_text)
+            require "rails-html-sanitizer"
+            action_text.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor
           end
         when "7.2"
           load_defaults "7.1"