mirror of
https://github.com/discourse/discourse.git
synced 2024-11-26 19:00:32 -06:00
24 lines
775 B
Ruby
24 lines
775 B
Ruby
# frozen_string_literal: true
|
|
|
|
module HasSanitizableFields
|
|
extend ActiveSupport::Concern
|
|
|
|
def sanitize_field(field, additional_attributes: [])
|
|
if field
|
|
sanitizer = Rails::Html::SafeListSanitizer.new
|
|
allowed_attributes = Rails::Html::SafeListSanitizer.allowed_attributes.dup
|
|
|
|
if additional_attributes.present?
|
|
allowed_attributes = allowed_attributes.merge(additional_attributes)
|
|
end
|
|
|
|
field = CGI.unescape_html(sanitizer.sanitize(field, attributes: allowed_attributes))
|
|
# Just replace the characters that our translations use for interpolation.
|
|
# Calling CGI.unescape removes characters like '+', which will corrupt the original value.
|
|
field = field.gsub("%7B", "{").gsub("%7D", "}")
|
|
end
|
|
|
|
field
|
|
end
|
|
end
|