Deprecation warning in Crystal 1.4
robcole opened this issue · 0 comments
robcole commented
In src/policy/html_sanitizer.cr:269:22
269 | uri.path = URI.encode(URI.decode(path))
^-----
Warning: Deprecated URI.encode. Use `.encode_path` instead.
In /usr/local/Cellar/crystal/1.4.1/src/uri/encoding.cr:123:25
123 | String.build { |io| encode(string, io, space_to_plus: space_to_plus) }
^-----
Warning: Deprecated URI.encode:space_to_plus. Use `.encode_path` instead.
A total of 2 warnings were found.
I took a quick look into this, but it's not as simple as swapping out to use encode_path as the behaviors aren't 100% the same, and several tests fail:
crystal spec spec/html_sanitizer/url_spec.cr:5 # Sanitize::Policy::HTMLSanitizer escapes URL attribute
crystal spec spec/html_sanitizer/html_sanitizer_spec.cr:18 # Sanitize::Policy::HTMLSanitizer escapes URL attribute
crystal spec spec/support/hrx.cr:57 # Sanitize::Policy::HTMLSanitizer protocol_javascript.hrx simple, spaces before (common)
crystal spec spec/support/hrx.cr:57 # Sanitize::Policy::HTMLSanitizer protocol_javascript.hrx simple, spaces before and after (common)
crystal spec spec/support/hrx.cr:57 # Sanitize::Policy::HTMLSanitizer protocol_javascript.hrx preceding colon (common)
crystal spec spec/support/hrx.cr:57 # Sanitize::Policy::HTMLSanitizer protocol_javascript.hrx null char (common)
crystal spec spec/support/hrx.cr:57 # Sanitize::Policy::HTMLSanitizer protocol_javascript.hrx invalid URL char (common)
crystal spec spec/support/hrx.cr:57 # Sanitize::Policy::HTMLSanitizer xss.hrx . (common)
# example failure
Expected: "<img src=\"java%5Cscript:alert(%22XSS%22)\"/>"
got: "<img src=\"java%5Cscript%3Aalert%28%22XSS%22%29\"/>"
Wasn't sure when this will actually be deprecated by Crystal, but seemed worth noting for now.