Reputation: 4775
In Rails 7.0 and earlier, we customized the Trix editor to embed YouTube videos. As is customary, the video will be embedded via an iframe tag. The Rails sanitizer removes this tag as it can be abused to embed malicious websites.
Allowing the tag in config/initializers/action_text.rb used to do the trick.
Rails.application.config.after_initialize do
ActionText::ContentHelper.allowed_tags << "iframe"
end
Rails 7.1 has a new HTML5 sanitizer, but the old HTML4 one can still be used. This means ActionText::ContentHelper
is not yet defined when the application boots, so the snippet above will crash the server. I expected the after_initialize
to wait long enough for the sanitizer to be loaded, but no dice.
Unable to load application: NoMethodError: undefined method `<<' for nil:NilClass
config/initializers/action_text.rb:2:in `block in <top (required)>': undefined method `<<' for nil:NilClass (NoMethodError)
Any ideas on how to allow sanitized tags in Rails 7.1?
Upvotes: 6
Views: 1841
Reputation: 221
I was struggling with the same thing. I dug into the source and found out that our allowed_tags
setting is wrapped by sanitizer_allowed_tags
.
You can find that method here on Github. It boils down to this:
ActionText::ContentHelper.sanitizer.class.allowed_tags + [ ActionText::Attachment.tag_name, "figure", "figcaption" ]
That's what Rails actually uses as default for our allowed_tags
setting.
So if you want to add "iframe"
to that, you can do this in a initializer:
# initializers/whatever.rb
default_allowed_tags = Class.new.include(ActionText::ContentHelper).new.sanitizer_allowed_tags
ActionText::ContentHelper.allowed_tags = default_allowed_tags.add('iframe')
Hope that helps!
Upvotes: 3
Reputation: 1241
We ran into this recently as well. I still feel like I'm missing something in the documentation ...
We took a hybrid of the other solutions and went with the following knowing that we're using the rails 7.1 defaults in our config:
# config/initializers/action_text.rb
Rails.application.config.after_initialize do
default_allowed_attributes = Rails::HTML5::Sanitizer.safe_list_sanitizer.allowed_attributes + ActionText::Attachment::ATTRIBUTES.to_set
custom_allowed_attributes = Set.new(%w[controls data-controller role style])
ActionText::ContentHelper.allowed_attributes = (default_allowed_attributes + custom_allowed_attributes).freeze
default_allowed_tags = Rails::HTML5::Sanitizer.safe_list_sanitizer.allowed_tags + Set.new([ActionText::Attachment.tag_name, "figure", "figcaption"])
custom_allowed_tags = Set.new(%w[audio video source])
ActionText::ContentHelper.allowed_tags = (default_allowed_tags + custom_allowed_tags).freeze
end
Basically we took the defaults we found via the HTML5 sanitizer and added them to our custom tags.
I'm sure there is a way to access the configured sanitizer, however we felt this made it very explicit what we were doing. I think this PR comment was along the right track for the dynamic approach: https://github.com/rails/rails/commit/e8137c527dd6bd43f695b472f440cab7466243a6#r128790711
Now everything works like a charm! <3 Rails 7.1
Upvotes: 2
Reputation: 112
I was stuck with the same problem. According to ActionView 7.1.0 CHANGELOG it's nil until is set in the application.
The Rails 7.1 configuration will set this to Rails::HTML5::Sanitizer when it is supported, and fall back to Rails::HTML4::Sanitizer. Previous configurations default to Rails::HTML4::Sanitizer.
As a result of this change, the defaults for ActionText::ContentHelper.allowed_tags and .allowed_attributes are applied at runtime, so the value of these attributes is now 'nil' unless set by the application. You may call sanitizer_allowed_tags or sanitizer_allowed_attributes to inspect the tags and attributes being allowed by the sanitizer.
So, I decided to copy all tags from 'rails-html-sanitizer' gem to config/initializers/action_text.rb and also added my specific tags there
Rails.application.config.after_initialize do
ActionText::ContentHelper.allowed_tags = Set.new([
"a",
"abbr",
"acronym",
"address",
... # more tags go here
]).freeze
end
It did the job.
Upvotes: 2