Merge pull request #16775 from kaspth/ship-secure-sanitizer

Ship with rails-html-sanitizer instead.

actionpack/actionpack.gemspec

@@ -23,7 +23,7 @@ Gem::Specification.new do |s|
 
   s.add_dependency 'rack',      '~> 1.6.0.beta'
   s.add_dependency 'rack-test', '~> 0.6.2'
-  s.add_dependency 'rails-deprecated_sanitizer', '~> 1.0', '>= 1.0.2'
+  s.add_dependency 'rails-html-sanitizer', '~> 1.0'
   s.add_dependency 'rails-dom-testing', '~> 1.0', '>= 1.0.2'
   s.add_dependency 'actionview', version
 

actionview/actionview.gemspec

@@ -23,7 +23,7 @@ Gem::Specification.new do |s|
 
   s.add_dependency 'builder',       '~> 3.1'
   s.add_dependency 'erubis',        '~> 2.7.0'
-  s.add_dependency 'rails-deprecated_sanitizer', '~> 1.0', '>= 1.0.2'
+  s.add_dependency 'rails-html-sanitizer', '~> 1.0'
   s.add_dependency 'rails-dom-testing', '~> 1.0', '>= 1.0.2'
 
   s.add_development_dependency 'actionpack',  version

actionview/lib/action_view/helpers/sanitize_helper.rb

@@ -1,6 +1,6 @@
 require 'active_support/core_ext/object/try'
 require 'active_support/deprecation'
-require 'rails-deprecated_sanitizer'
+require 'rails-html-sanitizer'
 
 module ActionView
   # = Action View Sanitize Helpers
@@ -122,14 +122,9 @@ module ActionView
         attr_writer :full_sanitizer, :link_sanitizer, :white_list_sanitizer
 
         # Vendors the full, link and white list sanitizers.
-        # This uses html-scanner for the HTML sanitization.
-        # In the next Rails version this will use Rails::Html::Sanitizer instead.
-        # To get this new behavior now, in your Gemfile, add:
-        #
-        #  gem 'rails-html-sanitizer'
-        #
+        # Provided strictly for compabitility and can be removed in Rails 5.
         def sanitizer_vendor
-          Rails::DeprecatedSanitizer
+          Rails::Html::Sanitizer
         end
 
         def sanitized_allowed_tags

actionview/test/template/sanitize_helper_test.rb

@@ -18,7 +18,7 @@ class SanitizeHelperTest < ActionView::TestCase
 
   def test_should_sanitize_illegal_style_properties
     raw      = %(display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;)
-    expected = %(display: block; width: 100%; height: 100%; background-color: black; background-image: ; background-x: center; background-y: center;)
+    expected = %(display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;)
     assert_equal expected, sanitize_css(raw)
   end
 

guides/source/4_2_release_notes.md

@@ -167,7 +167,8 @@ config.log_level = :info
 ### HTML Sanitizer
 
 The HTML sanitizer has been replaced with a new, more robust, implementation
-built upon Loofah and Nokogiri. The new sanitizer is (TODO: betterer).
+built upon Loofah and Nokogiri. The new sanitizer is more secure and its
+sanitization is more powerful and flexible.
 
 With a new sanitization algorithm, the sanitized output will change for certain
 pathological inputs.

railties/test/application/default_stack_test.rb

@@ -1,41 +0,0 @@
-# -*- coding: utf-8 -*-
-require 'isolation/abstract_unit'
-require 'rack/test'
-require 'active_support/json'
-
-module ApplicationTests
-  class DefaultStackTest < ActiveSupport::TestCase
-    include ActiveSupport::Testing::Isolation
-    include Rack::Test::Methods
-
-    def setup
-      build_app(initializers: true)
-      boot_rails
-    end
-
-    def teardown
-      teardown_app
-    end
-
-    test "the sanitizer helper" do
-      controller :foo, <<-RUBY
-        class FooController < ApplicationController
-          def index
-            render text: self.class.helpers.class.sanitizer_vendor
-          end
-        end
-      RUBY
-
-      app_file 'config/routes.rb', <<-RUBY
-        Rails.application.routes.draw do
-          get ':controller(/:action)'
-        end
-      RUBY
-
-      require "#{app_path}/config/environment"
-
-      get "/foo"
-      assert_equal 'Rails::Html::Sanitizer', last_response.body.strip
-    end
-  end
-end