mirror of
https://github.com/discourse/discourse.git
synced 2024-12-04 14:03:39 +08:00
24 lines
771 B
Ruby
24 lines
771 B
Ruby
|
# frozen_string_literal: true
|
||
|
|
||
|
module HasSanitizableFields
|
||
|
extend ActiveSupport::Concern
|
||
|
|
||
|
def sanitize_field(field, additional_attributes: [])
|
||
|
if field
|
||
|
sanitizer = Rails::Html::SafeListSanitizer.new
|
||
|
allowed_attributes = Rails::Html::SafeListSanitizer.allowed_attributes
|
||
|
|
||
|
if additional_attributes.present?
|
||
|
allowed_attributes = allowed_attributes.merge(additional_attributes)
|
||
|
end
|
||
|
|
||
|
field = CGI.unescape_html(sanitizer.sanitize(field, attributes: allowed_attributes))
|
||
|
# Just replace the characters that our translations use for interpolation.
|
||
|
# Calling CGI.unescape removes characters like '+', which will corrupt the original value.
|
||
|
field = field.gsub('%7B', '{').gsub('%7D', '}')
|
||
|
end
|
||
|
|
||
|
field
|
||
|
end
|
||
|
end
|