This project is archived and is in readonly mode.

#2393 ✓resolved
Nancy McLaughlin

WhiteListSanitizer allows dt and dd but not dl

Reported by Nancy McLaughlin | April 1st, 2009 @ 04:04 PM | in 2.x

In /actionpack/lib/action_controller/vendor/html-scanner/html/sanitizer.rb there's this:

Specifies the default Set of tags that the

sanitize helper will allow unscathed.

self.allowed_tags = Set.new(%w(strong em b i p code pre tt samp kbd var sub sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dt dd abbr acronym a img blockquote del ins))

I can't think of any reason to allow dt and dd tags and not dl (in fact, stripping out the dl tags leaves you with invalid html), so I'm wondering if that's just an oversight.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

People watching this ticket

Attachments

Referenced by

Pages