allow title tags to pass through scrubber (#134)

* allow title tags to pass through scrubber * merge instead of add
ideacrew · Feb 26, 2024 · 4e2ba77 · 4e2ba77
1 parent 0607085
commit 4e2ba77
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 3 deletions.
diff --git a/app/models/concerns/sanitize_concern.rb b/app/models/concerns/sanitize_concern.rb
@@ -17,8 +17,8 @@ def sanitize_pdf(pdf_string)
 
       ActionController::Base.helpers.sanitize(
         pdf_string,
-        tags: Loofah::HTML5::WhiteList::ACCEPTABLE_ELEMENTS.add('style'),
-        attributes: Loofah::HTML5::WhiteList::ACCEPTABLE_ATTRIBUTES
+        tags: Loofah::HTML5::SafeList::ACCEPTABLE_ELEMENTS.dup.delete("select").merge(['style', 'title']),
+        attributes: Loofah::HTML5::SafeList::ACCEPTABLE_ATTRIBUTES
       )
     end
   end

diff --git a/spec/models/concerns/sanitize_concern_spec.rb b/spec/models/concerns/sanitize_concern_spec.rb
@@ -11,7 +11,8 @@ class FakeConcernTestClass
     context 'when the value is a string' do
       context 'when the value contains img tag' do
         let(:body) do
-          "<style>b {color: red}</style><script> x=new XMLHttpRequest;
+          "<title>Test</title>
+          <style>b {color: red}</style><script> x=new XMLHttpRequest;
           x.onload=function(){document.write(this.responseText)};
           x.open(\"GET\",\"file:////etc/passwd\");x.send() </script>
           <p class='red'>Uqhp Eligible Document for {{ family_reference.hbx_id }}
@@ -20,6 +21,7 @@ class FakeConcernTestClass
 
         it 'should include whitelisted tags' do
           expect(subject.sanitize_pdf(body)).to include('<style>')
+          expect(subject.sanitize_pdf(body)).to include('<title>')
         end
 
         it 'should not include non-whitelisted tags' do