Move SafeListSanitizer prune option from class to instance variable

Author: seyerian

lib/rails/html/sanitizer.rb

@@ -104,16 +104,14 @@ class SafeListSanitizer < Sanitizer
       class << self
         attr_accessor :allowed_tags
         attr_accessor :allowed_attributes
-        attr_accessor :prune
       end
       self.allowed_tags = Set.new(%w(strong em b i p code pre tt samp kbd var sub
         sup dfn cite big small address hr br div span h1 h2 h3 h4 h5 h6 ul ol li dl dt dd abbr
         acronym a img blockquote del ins))
       self.allowed_attributes = Set.new(%w(href src width height alt cite datetime title class name xml:lang abbr))
-      self.prune = false
 
-      def initialize
-        @permit_scrubber = PermitScrubber.new
+      def initialize(prune: false)
+        @permit_scrubber = PermitScrubber.new(prune: prune)
       end
 
       def sanitize(html, options = {})
@@ -125,10 +123,9 @@ def sanitize(html, options = {})
         if scrubber = options[:scrubber]
           # No duck typing, Loofah ensures subclass of Loofah::Scrubber
           loofah_fragment.scrub!(scrubber)
-        elsif allowed_tags(options) || allowed_attributes(options) || prune(options)
+        elsif allowed_tags(options) || allowed_attributes(options)
           @permit_scrubber.tags = allowed_tags(options)
           @permit_scrubber.attributes = allowed_attributes(options)
-          @permit_scrubber.prune = prune(options)
           loofah_fragment.scrub!(@permit_scrubber)
         else
           remove_xpaths(loofah_fragment, XPATHS_TO_REMOVE)
@@ -151,10 +148,6 @@ def allowed_tags(options)
       def allowed_attributes(options)
         options[:attributes] || self.class.allowed_attributes
       end
-
-      def prune(options)
-        options.key?(:prune) ? options[:prune] : self.class.prune
-      end
     end
 
     WhiteListSanitizer = SafeListSanitizer

lib/rails/html/scrubbers.rb

@@ -45,12 +45,11 @@ module Html
     # See the documentation for +Nokogiri::XML::Node+ to understand what's possible
     # with nodes: https://nokogiri.org/rdoc/Nokogiri/XML/Node.html
     class PermitScrubber < Loofah::Scrubber
-      attr_accessor :prune
-      attr_reader :tags, :attributes
+      attr_reader :tags, :attributes, :prune
 
-      def initialize
-        @direction = :bottom_up
-        @prune = false
+      def initialize(prune: false)
+        @prune = prune
+        @direction = @prune ? :top_down : :bottom_up
         @tags, @attributes = nil, nil
       end
 

test/sanitizer_test.rb

@@ -258,23 +258,10 @@ def test_custom_attributes_overrides_allowed_attributes
     end
   end
 
-  def test_setting_default_prune_affects_sanitization
-    scope_prune true do |sanitizer|
-      input = '<u>leave me <b>now</b></u>'
-      assert_equal '<u>leave me </u>', sanitizer.sanitize(input, tags: %w(u))
-    end
-  end
-
-  def test_custom_prune_overrides_default_prune
-    scope_prune true do |sanitizer|
-      input = '<u>leave me <b>now</b></u>'
-      assert_equal '<u>leave me now</u>', sanitizer.sanitize(input, tags: %w(u), prune: false)
-    end
-  end
-
-  def test_should_allow_custom_prune
-    input = '<u>leave me <b>now</b></u>'
-    assert_equal '<u>leave me </u>', safe_list_sanitize(input, tags: %w(u), prune: true)
+  def test_should_allow_prune
+    sanitizer = Rails::Html::SafeListSanitizer.new(prune: true)
+    text = '<u>leave me <b>now</b></u>'
+    assert_equal "<u>leave me </u>", sanitizer.sanitize(text, tags: %w(u))
   end
 
   def test_should_allow_custom_tags
@@ -648,14 +635,6 @@ def scope_allowed_attributes(attributes)
     Rails::Html::SafeListSanitizer.allowed_attributes = old_attributes
   end
 
-  def scope_prune(prune)
-    old_prune = Rails::Html::SafeListSanitizer.prune
-    Rails::Html::SafeListSanitizer.prune = prune
-    yield Rails::Html::SafeListSanitizer.new
-  ensure
-    Rails::Html::SafeListSanitizer.prune = old_prune
-  end
-
   # note that this is used for testing CSS hex encoding: \\[0-9a-f]{1,6}
   def convert_to_css_hex(string, escape_parens=false)
     string.chars.map do |c|

test/scrubbers_test.rb

@@ -67,9 +67,9 @@ def test_leaves_only_supplied_tags
   end
 
   def test_prunes_tags
-    html = '<tag>leave me <span>now</span></tag>'
+    @scrubber = Rails::Html::PermitScrubber.new(prune: true)
     @scrubber.tags = %w(tag)
-    @scrubber.prune = true
+    html = '<tag>leave me <span>now</span></tag>'
     assert_scrubbed html, '<tag>leave me </tag>'
   end
 
@@ -164,6 +164,13 @@ def test_targeting_tags_and_attributes_removes_only_them
     html = '<tag remove="" other=""></tag><a remove="" other=""></a>'
     assert_scrubbed html, '<a other=""></a>'
   end
+
+  def test_prunes_tags
+    @scrubber = Rails::Html::TargetScrubber.new(prune: true)
+    @scrubber.tags = %w(span)
+    html = '<tag>leave me <span>now</span></tag>'
+    assert_scrubbed html, '<tag>leave me </tag>'
+  end
 end
 
 class TextOnlyScrubberTest < ScrubberTest