Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: Don't change the default allowed_attribute when calling #sanitize_field (#19770)

This commit is contained in:
Roman Rizzi 2023-01-06 11:47:15 -03:00 committed by GitHub
parent 5ce5ff053e
commit 7b5f7b4484
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/models/concerns/has_sanitizable_fields.rb
View File

@ -6,7 +6,7 @@ module HasSanitizableFields
def sanitize_field(field, additional_attributes: []) def sanitize_field(field, additional_attributes: [])
if field if field
sanitizer = Rails::Html::SafeListSanitizer.new sanitizer = Rails::Html::SafeListSanitizer.new
allowed_attributes = Rails::Html::SafeListSanitizer.allowed_attributes allowed_attributes = Rails::Html::SafeListSanitizer.allowed_attributes.dup
if additional_attributes.present? if additional_attributes.present?
allowed_attributes = allowed_attributes.merge(additional_attributes) allowed_attributes = allowed_attributes.merge(additional_attributes)