FIX: Don't change the default allowed_attribute when calling #sanitize_field (#19770)

This commit is contained in:
Roman Rizzi 2023-01-06 11:47:15 -03:00 committed by GitHub
parent 5ce5ff053e
commit 7b5f7b4484
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -6,7 +6,7 @@ module HasSanitizableFields
def sanitize_field(field, additional_attributes: [])
if field
sanitizer = Rails::Html::SafeListSanitizer.new
allowed_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
allowed_attributes = Rails::Html::SafeListSanitizer.allowed_attributes.dup
if additional_attributes.present?
allowed_attributes = allowed_attributes.merge(additional_attributes)