DEV: Don’t patch Sanitize::Config

Currently we’re reopening the `Sanitize::Config` class (which is part of
the `sanitize` gem) to put our custom config for Onebox in it. This is
unnecessary as we can simply create a dedicated module to hold our
custom configuration.

lib/onebox.rb

@@ -20,7 +20,7 @@ module Onebox
     load_paths: [File.join(Rails.root, "lib/onebox/templates")],
     allowed_ports: [80, 443],
     allowed_schemes: ["http", "https"],
-    sanitize_config: Sanitize::Config::ONEBOX,
+    sanitize_config: SanitizeConfig::ONEBOX,
     redirect_limit: 5
   }
 

lib/onebox/discourse_onebox_sanitize_config.rb

@@ -1,18 +0,0 @@
-# frozen_string_literal: true
-
-module Onebox
-  class DiscourseOneboxSanitizeConfig
-    module Config
-      DISCOURSE_ONEBOX ||=
-        Sanitize::Config.freeze_config(
-          Sanitize::Config.merge(
-            Sanitize::Config::ONEBOX,
-            attributes: Sanitize::Config.merge(
-              Sanitize::Config::ONEBOX[:attributes],
-              'aside' => [:data]
-            )
-          )
-        )
-    end
-  end
-end

lib/onebox/preview.rb

@@ -81,7 +81,7 @@ module Onebox
     end
 
     def sanitize(html)
-      config = @options[:sanitize_config] || Sanitize::Config::ONEBOX
+      config = @options[:sanitize_config] || SanitizeConfig::ONEBOX
       config = config.merge(allowed_iframe_regexes: @options[:allowed_iframe_regexes])
 
       Sanitize.fragment(html, config)

lib/onebox/sanitize_config.rb

@@ -1,15 +1,14 @@
 # frozen_string_literal: true
 
-class Sanitize
-  module Config
-
+module Onebox
+  module SanitizeConfig
     HTTP_PROTOCOLS ||= ['http', 'https', :relative].freeze
 
-    ONEBOX ||= freeze_config merge(RELAXED,
-      elements: RELAXED[:elements] + %w[audio details embed iframe source video svg path],
+    ONEBOX ||= Sanitize::Config.freeze_config(Sanitize::Config.merge(Sanitize::Config::RELAXED,
+      elements: Sanitize::Config::RELAXED[:elements] + %w[audio details embed iframe source video svg path],
 
       attributes: {
-        'a' => RELAXED[:attributes]['a'] + %w(target),
+        'a' => Sanitize::Config::RELAXED[:attributes]['a'] + %w(target),
         'audio' => %w[controls controlslist],
         'embed' => %w[height src type width],
         'iframe' => %w[allowfullscreen frameborder height scrolling src width data-original-href data-unsanitized-src],
@@ -29,7 +28,7 @@ class Sanitize
         }
       },
 
-      transformers: (RELAXED[:transformers] || []) + [
+      transformers: (Sanitize::Config::RELAXED[:transformers] || []) + [
         lambda do |env|
           next unless env[:node_name] == 'a'
           a_tag = env[:node]
@@ -65,8 +64,19 @@ class Sanitize
       },
 
       css: {
-        properties: RELAXED[:css][:properties] + %w[--aspect-ratio]
+        properties: Sanitize::Config::RELAXED[:css][:properties] + %w[--aspect-ratio]
       }
+    ))
+
+    DISCOURSE_ONEBOX ||=
+      Sanitize::Config.freeze_config(
+        Sanitize::Config.merge(
+          ONEBOX,
+          attributes: Sanitize::Config.merge(
+            ONEBOX[:attributes],
+            'aside' => [:data]
+          )
+        )
       )
   end
 end

lib/oneboxer.rb

@@ -425,7 +425,7 @@ module Oneboxer
 
       onebox_options = {
         max_width: 695,
-        sanitize_config: Onebox::DiscourseOneboxSanitizeConfig::Config::DISCOURSE_ONEBOX,
+        sanitize_config: Onebox::SanitizeConfig::DISCOURSE_ONEBOX,
         allowed_iframe_origins: allowed_iframe_origins,
         hostname: GlobalSetting.hostname,
         facebook_app_access_token: SiteSetting.facebook_app_access_token,