From 3ecf9d6cfc8a92ae37e4f44b166c464801b4bff6 Mon Sep 17 00:00:00 2001 From: Dan Rice Date: Sat, 21 May 2016 20:18:35 -0400 Subject: [PATCH] Update protocol whitelist for rails-html-sanitizer --- config/application.rb | 3 --- config/initializers/sanitizer.rb | 1 + 2 files changed, 1 insertion(+), 3 deletions(-) create mode 100644 config/initializers/sanitizer.rb diff --git a/config/application.rb b/config/application.rb index 038cf12d3..972c93832 100644 --- a/config/application.rb +++ b/config/application.rb @@ -34,9 +34,6 @@ class Application < Rails::Application # configure Tracks to handle deployment in a subdir config.relative_url_root = SITE_CONFIG['subdir'] if SITE_CONFIG['subdir'] - # allow onenote:// and message:// as protocols for urls - config.action_view.sanitized_allowed_protocols = 'onenote', 'message' - config.middleware.insert_after ActionDispatch::ParamsParser, ActionDispatch::XmlParamsParser end end diff --git a/config/initializers/sanitizer.rb b/config/initializers/sanitizer.rb new file mode 100644 index 000000000..6d99f4042 --- /dev/null +++ b/config/initializers/sanitizer.rb @@ -0,0 +1 @@ +Loofah::HTML5::WhiteList::ALLOWED_PROTOCOLS.merge(%w(message onenote))