This project is archived and is in readonly mode.

#916 ✓resolved
antonmos

WhiteListSanitizer removes unknown tags instead of escaping.

Reported by antonmos | August 27th, 2008 @ 03:45 PM | in 2.x

Quoting the comment in santizier.rb for bad_tags member: "# Specifies a Set of 'bad' tags that the #sanitize helper will remove completely, as opposed to just escaping harmless tags like <font>"

However, the current code completely removes all unknown tags regardless of bad_tags set.

This is a problem because users may want to use text enclosed in < and > characters in their content (i.e. forum posts) and simply removing them is confusing and (unpleasantly) surprising.

Comments and changes to this ticket

Create your profile

Help contribute to this project by taking a few moments to create your personal profile. Create your profile »

<h2 style="font-size: 14px">Tickets have moved to Github</h2>

The new ticket tracker is available at <a href="https://github.com/rails/rails/issues">https://github.com/rails/rails/issues</a>

People watching this ticket

Pages