24 lines
771 B
Ruby
24 lines
771 B
Ruby
# frozen_string_literal: true
|
|
|
|
module HasSanitizableFields
|
|
extend ActiveSupport::Concern
|
|
|
|
def sanitize_field(field, additional_attributes: [])
|
|
if field
|
|
sanitizer = Rails::Html::SafeListSanitizer.new
|
|
allowed_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
|
|
|
|
if additional_attributes.present?
|
|
allowed_attributes = allowed_attributes.merge(additional_attributes)
|
|
end
|
|
|
|
field = CGI.unescape_html(sanitizer.sanitize(field, attributes: allowed_attributes))
|
|
# Just replace the characters that our translations use for interpolation.
|
|
# Calling CGI.unescape removes characters like '+', which will corrupt the original value.
|
|
field = field.gsub('%7B', '{').gsub('%7D', '}')
|
|
end
|
|
|
|
field
|
|
end
|
|
end
|