From 8957ba58d524f99286df0f222d40b995e0eb506a Mon Sep 17 00:00:00 2001 From: Mike Dalessio Date: Wed, 6 Mar 2024 16:38:33 -0500 Subject: [PATCH] Fix sanitizer vendor config with 7.1 defaults MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit rails-html-santizer is a dependency of Action View and a transitive dependency of Action Text (via Action Pack), but may not be loaded until after railties sets configuration defaults. This change `require`s rails-html-sanitizer immediately before it's needed, and avoids the possibly-incorrect assumption that Rails::HTML::Sanitizer is already defined. Closes #51246 Co-authored-by: Rafael Mendonça França --- railties/CHANGELOG.md | 7 +++++++ railties/lib/rails/application/configuration.rb | 14 +++++++------- 2 files changed, 14 insertions(+), 7 deletions(-) diff --git a/railties/CHANGELOG.md b/railties/CHANGELOG.md index 72794554920b9..387f19672e77d 100644 --- a/railties/CHANGELOG.md +++ b/railties/CHANGELOG.md @@ -1,3 +1,10 @@ +* Fix sanitizer vendor configuration in 7.1 defaults. + + In apps where rails-html-sanitizer was not eagerly loaded, the sanitizer default could end up + being Rails::HTML4::Sanitizer when it should be set to Rails::HTML5::Sanitizer. + + *Mike Dalessio*, *Rafael Mendonça França* + * Set `action_mailer.default_url_options` values in `development` and `test`. Prior to this commit, new Rails applications would raise `ActionView::Template::Error` diff --git a/railties/lib/rails/application/configuration.rb b/railties/lib/rails/application/configuration.rb index e132213229077..0990666424530 100644 --- a/railties/lib/rails/application/configuration.rb +++ b/railties/lib/rails/application/configuration.rb @@ -310,14 +310,14 @@ def load_defaults(target_version) active_support.raise_on_invalid_cache_expiration_time = true end - if defined?(Rails::HTML::Sanitizer) # nested ifs to avoid linter errors - if respond_to?(:action_view) - action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor - end + if respond_to?(:action_view) + require "rails-html-sanitizer" + action_view.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor + end - if respond_to?(:action_text) - action_text.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor - end + if respond_to?(:action_text) + require "rails-html-sanitizer" + action_text.sanitizer_vendor = Rails::HTML::Sanitizer.best_supported_vendor end when "7.2" load_defaults "7.1"