Rails 4.2.0.beta2 requires both rails-deprecated-sanitizer and rails-html-sanitizer

Question

Rails 4.2.0.beta2 requires both rails-deprecated-sanitizer and rails-html-sanitizer

chancancode opened this issue 11 years ago · 4 comments

I believe the intention is that Rails 4.2.0.beta2 would ship with the new rails-html-sanitizer gem, and users can optionally include the rails-deprecated-sanitizer gem, which would override the new loofah-based implementations with the old html-scanner-based implementations.

However, actionpack and friends listed rails-dom-testing and rails-html-sanitizer as a dependency, which in turns listed rails-deprecated-sanitizer as a dependency. The net result is that, out-of-the-box, a Rails 4.2.0.beta2 app would have both rails-html-sanitizer and rails-deprecated-sanitizer activated, and adding either of these to the Gemfile doesn't have any effect.

Is this correct?

cc @kaspth @rafaelfranca

Answer 1 · 2014-10-16T07:10:46.000Z

Ah, I noticed that the only place we actually require anything from the gem is here, so I think it is probably fine. Can one of you confirm my theory and close this? 😄

Answer 2 · 2014-10-16T07:24:43.000Z

rails-html-sanitizer [..] listed rails-deprecated-sanitizer as a dependency

Is this a leftover from when we were going to default to the deprecated one?

Answer 3 · 2014-10-16T07:54:51.000Z

Sorry wrong link above, I meant to link to the require here: https://github.com/rails/rails-dom-testing/blob/master/lib/rails/dom/testing/assertions/tag_assertions.rb#L2

So it appears that we legitimately have a dependency on rails-deprecated-sanitizer (the gem) because of the legacy helpers in that file, but since we are only requiring rails/deprecated_sanitizer/html-scanner, the rest of the helpers aren't affected. If (and only if) someone adds rails-deprecated-sanitizer to their Gemfile, it will do an actual require to the rest of the files and overwrite the remaining helpers.

If that's correct we can close this 😄

Answer 4 · 2014-10-16T09:34:11.000Z

The deprecated sanitizer is used in Rails Dom Testing to avoid breaking the deprecated TagAssertions.

@chancancode I can confirm 😁
Here's a test with what's shipping in beta2:

class Test
  include ActionView::Helpers::SanitizeHelper
end

# In Rails console
irb(main):001:0> Test.sanitizer_vendor
=> Rails::Html::Sanitizer
irb(main):002:0> require 'rails-deprecated_sanitizer'
=> true
irb(main):003:0> Test.sanitizer_vendor
=> Rails::DeprecatedSanitizer

Adding the deprecated sanitizer gem in the Gemfile will then return Rails::DeprecatedSanitizer.