diff --git a/Gemfile b/Gemfile index 5f345f4329a..c55e6478cb0 100644 --- a/Gemfile +++ b/Gemfile @@ -1,7 +1,6 @@ source 'https://rubygems.org' gem 'rails', '5.0.7.2' -gem 'rails-deprecated_sanitizer', '~> 1.0.3' # Improves copy-on-write performance for MRI gem 'nakayoshi_fork', '~> 0.0.4' diff --git a/Gemfile.lock b/Gemfile.lock index c1d1a50799f..109958e2591 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -654,8 +654,6 @@ GEM actionpack (~> 5.x, >= 5.0.1) actionview (~> 5.x, >= 5.0.1) activesupport (~> 5.x) - rails-deprecated_sanitizer (1.0.3) - activesupport (>= 4.2.0.alpha) rails-dom-testing (2.0.3) activesupport (>= 4.2.0) nokogiri (>= 1.6) @@ -1111,7 +1109,6 @@ DEPENDENCIES rack-proxy (~> 0.6.0) rails (= 5.0.7.2) rails-controller-testing - rails-deprecated_sanitizer (~> 1.0.3) rails-i18n (~> 5.1) rainbow (~> 3.0) raindrops (~> 0.18) diff --git a/app/controllers/projects/branches_controller.rb b/app/controllers/projects/branches_controller.rb index 9c31ae6376a..e14abbf7c78 100644 --- a/app/controllers/projects/branches_controller.rb +++ b/app/controllers/projects/branches_controller.rb @@ -53,7 +53,7 @@ class Projects::BranchesController < Projects::ApplicationController # rubocop: disable CodeReuse/ActiveRecord def create - branch_name = sanitize(strip_tags(params[:branch_name])) + branch_name = strip_tags(sanitize(params[:branch_name])) branch_name = Addressable::URI.unescape(branch_name) redirect_to_autodeploy = project.empty_repo? && project.deployment_platform.present? @@ -122,7 +122,7 @@ class Projects::BranchesController < Projects::ApplicationController def ref if params[:ref] - ref_escaped = sanitize(strip_tags(params[:ref])) + ref_escaped = strip_tags(sanitize(params[:ref])) Addressable::URI.unescape(ref_escaped) else @project.default_branch || 'master' diff --git a/app/helpers/markup_helper.rb b/app/helpers/markup_helper.rb index d83c69603a9..be4fc2531ae 100644 --- a/app/helpers/markup_helper.rb +++ b/app/helpers/markup_helper.rb @@ -241,9 +241,7 @@ module MarkupHelper node.remove if node.name == 'a' && node.content.blank? end - # Use `Loofah` directly instead of `sanitize` - # as we still use the `rails-deprecated_sanitizer` gem - Loofah.fragment(text).scrub!(scrubber).to_s + sanitize text, scrubber: scrubber end def markdown_toolbar_button(options = {}) diff --git a/config/application.rb b/config/application.rb index 6bdf61edfb1..cbcfef34e01 100644 --- a/config/application.rb +++ b/config/application.rb @@ -164,8 +164,6 @@ module Gitlab # Version of your assets, change this if you want to expire all your assets config.assets.version = '1.0' - config.action_view.sanitized_allowed_protocols = %w(smb) - # Can be removed once upgraded to Rails 5.1 or higher config.action_controller.raise_on_unfiltered_parameters = true