rails-html-sanitizer 1.5.0 → 1.6.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +71 -0
- data/MIT-LICENSE +1 -1
- data/README.md +126 -70
- data/lib/rails/html/sanitizer/version.rb +4 -2
- data/lib/rails/html/sanitizer.rb +371 -104
- data/lib/rails/html/scrubbers.rb +70 -69
- data/lib/rails-html-sanitizer.rb +7 -23
- data/test/rails_api_test.rb +88 -0
- data/test/sanitizer_test.rb +900 -590
- data/test/scrubbers_test.rb +49 -36
- metadata +19 -63
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 365db7c11fc174c5da0a4a670fec92033cf277b71e7bb089534b2ad1bd48b314
|
4
|
+
data.tar.gz: b33e592de2e0081f1493d9fc29e8db1a26b2f727c20aa7d111332438bfbf2f1d
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: bafc9210e52f68f6ea033c1deb70d2d227a85a661f9c4fe988da876a73e29b7c86e0910d9705616ed536978d4c6cdf9e5a23b211e720c1f4c86d7b5ce04c03bf
|
7
|
+
data.tar.gz: acb3ed50bf5ebd95824bffc8efb4be8745c32e3d5bd5d157edc14648f4f00e07f308ce5ecb2889ae417d7cd999871f4860ac79ecb0864a25220683ae2edd5473
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,65 @@
|
|
1
|
+
## 1.6.0 / 2023-05-26
|
2
|
+
|
3
|
+
* Dependencies have been updated:
|
4
|
+
|
5
|
+
- Loofah `~>2.21` and Nokogiri `~>1.14` for HTML5 parser support
|
6
|
+
- As a result, required Ruby version is now `>= 2.7.0`
|
7
|
+
|
8
|
+
Security updates will continue to be made on the `1.5.x` release branch as long as Rails 6.1
|
9
|
+
(which supports Ruby 2.5) is still in security support.
|
10
|
+
|
11
|
+
*Mike Dalessio*
|
12
|
+
|
13
|
+
* HTML5 standards-compliant sanitizers are now available on platforms supported by
|
14
|
+
Nokogiri::HTML5. These are available as:
|
15
|
+
|
16
|
+
- `Rails::HTML5::FullSanitizer`
|
17
|
+
- `Rails::HTML5::LinkSanitizer`
|
18
|
+
- `Rails::HTML5::SafeListSanitizer`
|
19
|
+
|
20
|
+
And a new "vendor" is provided at `Rails::HTML5::Sanitizer` that can be used in a future version
|
21
|
+
of Rails.
|
22
|
+
|
23
|
+
Note that for symmetry `Rails::HTML4::Sanitizer` is also added, though its behavior is identical
|
24
|
+
to the vendor class methods on `Rails::HTML::Sanitizer`.
|
25
|
+
|
26
|
+
Users may call `Rails::HTML::Sanitizer.best_supported_vendor` to get back the HTML5 vendor if it's
|
27
|
+
supported, else the legacy HTML4 vendor.
|
28
|
+
|
29
|
+
*Mike Dalessio*
|
30
|
+
|
31
|
+
* Module namespaces have changed, but backwards compatibility is provided by aliases.
|
32
|
+
|
33
|
+
The library defines three additional modules:
|
34
|
+
|
35
|
+
- `Rails::HTML` for general functionality (replacing `Rails::Html`)
|
36
|
+
- `Rails::HTML4` containing sanitizers that parse content as HTML4
|
37
|
+
- `Rails::HTML5` containing sanitizers that parse content as HTML5
|
38
|
+
|
39
|
+
The following aliases are maintained for backwards compatibility:
|
40
|
+
|
41
|
+
- `Rails::Html` points to `Rails::HTML`
|
42
|
+
- `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer`
|
43
|
+
- `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer`
|
44
|
+
- `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer`
|
45
|
+
|
46
|
+
*Mike Dalessio*
|
47
|
+
|
48
|
+
* `LinkSanitizer` always returns UTF-8 encoded strings. `SafeListSanitizer` and `FullSanitizer`
|
49
|
+
already ensured this encoding.
|
50
|
+
|
51
|
+
*Mike Dalessio*
|
52
|
+
|
53
|
+
* `SafeListSanitizer` allows `time` tag and `lang` attribute by default.
|
54
|
+
|
55
|
+
*Mike Dalessio*
|
56
|
+
|
57
|
+
* The constant `Rails::Html::XPATHS_TO_REMOVE` has been removed. It's not necessary with the
|
58
|
+
existing sanitizers, and should have been a private constant all along anyway.
|
59
|
+
|
60
|
+
*Mike Dalessio*
|
61
|
+
|
62
|
+
|
1
63
|
## 1.5.0 / 2023-01-20
|
2
64
|
|
3
65
|
* `SafeListSanitizer`, `PermitScrubber`, and `TargetScrubber` now all support pruning of unsafe tags.
|
@@ -7,6 +69,7 @@
|
|
7
69
|
|
8
70
|
*seyerian*
|
9
71
|
|
72
|
+
|
10
73
|
## 1.4.4 / 2022-12-13
|
11
74
|
|
12
75
|
* Address inefficient regular expression complexity with certain configurations of Rails::Html::Sanitizer.
|
@@ -52,6 +115,7 @@
|
|
52
115
|
|
53
116
|
*Mike Dalessio*
|
54
117
|
|
118
|
+
|
55
119
|
## 1.4.2 / 2021-08-23
|
56
120
|
|
57
121
|
* Slightly improve performance.
|
@@ -60,6 +124,7 @@
|
|
60
124
|
|
61
125
|
*Mike Dalessio*
|
62
126
|
|
127
|
+
|
63
128
|
## 1.4.1 / 2021-08-18
|
64
129
|
|
65
130
|
* Fix regression in v1.4.0 that did not pass comment nodes to the scrubber.
|
@@ -72,6 +137,7 @@
|
|
72
137
|
|
73
138
|
*Mike Dalessio*
|
74
139
|
|
140
|
+
|
75
141
|
## 1.4.0 / 2021-08-18
|
76
142
|
|
77
143
|
* Processing Instructions are no longer allowed by Rails::Html::PermitScrubber
|
@@ -84,12 +150,14 @@
|
|
84
150
|
|
85
151
|
*Mike Dalessio*
|
86
152
|
|
153
|
+
|
87
154
|
## 1.3.0
|
88
155
|
|
89
156
|
* Address deprecations in Loofah 2.3.0.
|
90
157
|
|
91
158
|
*Josh Goodall*
|
92
159
|
|
160
|
+
|
93
161
|
## 1.2.0
|
94
162
|
|
95
163
|
* Remove needless `white_list_sanitizer` deprecation.
|
@@ -104,6 +172,7 @@
|
|
104
172
|
|
105
173
|
*Kasper Timm Hansen*
|
106
174
|
|
175
|
+
|
107
176
|
## 1.1.0
|
108
177
|
|
109
178
|
* Add `safe_list_sanitizer` and deprecate `white_list_sanitizer` to be removed
|
@@ -121,10 +190,12 @@
|
|
121
190
|
|
122
191
|
*Kasper Timm Hansen*
|
123
192
|
|
193
|
+
|
124
194
|
## 1.0.1
|
125
195
|
|
126
196
|
* Added support for Rails 4.2.0.beta2 and above
|
127
197
|
|
198
|
+
|
128
199
|
## 1.0.0
|
129
200
|
|
130
201
|
* First release.
|
data/MIT-LICENSE
CHANGED
data/README.md
CHANGED
@@ -1,108 +1,91 @@
|
|
1
|
-
# Rails
|
1
|
+
# Rails HTML Sanitizers
|
2
2
|
|
3
|
-
|
4
|
-
applications, i.e. in the `sanitize`, `sanitize_css`, `strip_tags` and `strip_links` methods.
|
3
|
+
This gem is responsible for sanitizing HTML fragments in Rails applications. Specifically, this is the set of sanitizers used to implement the Action View `SanitizerHelper` methods `sanitize`, `sanitize_css`, `strip_tags` and `strip_links`.
|
5
4
|
|
6
|
-
Rails
|
5
|
+
Rails HTML Sanitizer is only intended to be used with Rails applications. If you need similar functionality but aren't using Rails, consider using the underlying sanitization library [Loofah](https://github.com/flavorjones/loofah) directly.
|
7
6
|
|
8
|
-
## Installation
|
9
|
-
|
10
|
-
Add this line to your application's Gemfile:
|
11
|
-
|
12
|
-
gem 'rails-html-sanitizer'
|
13
|
-
|
14
|
-
And then execute:
|
15
|
-
|
16
|
-
$ bundle
|
17
|
-
|
18
|
-
Or install it yourself as:
|
19
|
-
|
20
|
-
$ gem install rails-html-sanitizer
|
21
7
|
|
22
8
|
## Usage
|
23
9
|
|
24
|
-
###
|
25
|
-
|
26
|
-
__Rails::HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will sanitized *again* at page-render time.__
|
27
|
-
|
28
|
-
Proper HTML sanitization will replace some characters with HTML entities. For example, `<` will be replaced with `<` to ensure that the markup is well-formed.
|
29
|
-
|
30
|
-
This is important to keep in mind because __HTML entities will render improperly if they are sanitized twice.__
|
31
|
-
|
32
|
-
|
33
|
-
#### A concrete example showing the problem that can arise
|
34
|
-
|
35
|
-
Imagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter `JPMorgan Chase & Co.`.
|
36
|
-
|
37
|
-
If you sanitize this before persisting it in the database, the stored string will be `JPMorgan Chase & Co.`
|
10
|
+
### Sanitizers
|
38
11
|
|
39
|
-
|
12
|
+
All sanitizers respond to `sanitize`, and are available in variants that use either HTML4 or HTML5 parsing, under the `Rails::HTML4` and `Rails::HTML5` namespaces, respectively.
|
40
13
|
|
41
|
-
|
14
|
+
NOTE: The HTML5 sanitizers are not supported on JRuby. Users may programmatically check for support by calling `Rails::HTML::Sanitizer.html5_support?`.
|
42
15
|
|
43
16
|
|
44
|
-
####
|
17
|
+
#### FullSanitizer
|
45
18
|
|
46
|
-
|
19
|
+
```ruby
|
20
|
+
full_sanitizer = Rails::HTML5::FullSanitizer.new
|
21
|
+
full_sanitizer.sanitize("<b>Bold</b> no more! <a href='more.html'>See more here</a>...")
|
22
|
+
# => Bold no more! See more here...
|
23
|
+
```
|
47
24
|
|
48
|
-
|
25
|
+
or, if you insist on parsing the content as HTML4:
|
49
26
|
|
50
|
-
|
27
|
+
```ruby
|
28
|
+
full_sanitizer = Rails::HTML4::FullSanitizer.new
|
29
|
+
full_sanitizer.sanitize("<b>Bold</b> no more! <a href='more.html'>See more here</a>...")
|
30
|
+
# => Bold no more! See more here...
|
31
|
+
```
|
51
32
|
|
33
|
+
HTML5 version:
|
52
34
|
|
53
|
-
### Sanitizers
|
54
35
|
|
55
|
-
All sanitizers respond to `sanitize`.
|
56
36
|
|
57
|
-
####
|
37
|
+
#### LinkSanitizer
|
58
38
|
|
59
39
|
```ruby
|
60
|
-
|
61
|
-
|
62
|
-
# =>
|
40
|
+
link_sanitizer = Rails::HTML5::LinkSanitizer.new
|
41
|
+
link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
|
42
|
+
# => Only the link text will be kept.
|
63
43
|
```
|
64
44
|
|
65
|
-
|
45
|
+
or, if you insist on parsing the content as HTML4:
|
66
46
|
|
67
47
|
```ruby
|
68
|
-
link_sanitizer = Rails::
|
48
|
+
link_sanitizer = Rails::HTML4::LinkSanitizer.new
|
69
49
|
link_sanitizer.sanitize('<a href="example.com">Only the link text will be kept.</a>')
|
70
50
|
# => Only the link text will be kept.
|
71
51
|
```
|
72
52
|
|
53
|
+
|
73
54
|
#### SafeListSanitizer
|
74
55
|
|
56
|
+
This sanitizer is also available as an HTML4 variant, but for simplicity we'll document only the HTML5 variant below.
|
57
|
+
|
75
58
|
```ruby
|
76
|
-
safe_list_sanitizer = Rails::
|
59
|
+
safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new
|
77
60
|
|
78
61
|
# sanitize via an extensive safe list of allowed elements
|
79
62
|
safe_list_sanitizer.sanitize(@article.body)
|
80
63
|
|
81
|
-
#
|
64
|
+
# sanitize only the supplied tags and attributes
|
82
65
|
safe_list_sanitizer.sanitize(@article.body, tags: %w(table tr td), attributes: %w(id class style))
|
83
66
|
|
84
|
-
#
|
67
|
+
# sanitize via a custom scrubber
|
85
68
|
safe_list_sanitizer.sanitize(@article.body, scrubber: ArticleScrubber.new)
|
86
69
|
|
87
|
-
#
|
88
|
-
safe_list_sanitizer.
|
70
|
+
# prune nodes from the tree instead of stripping tags and leaving inner content
|
71
|
+
safe_list_sanitizer = Rails::HTML5::SafeListSanitizer.new(prune: true)
|
89
72
|
|
90
|
-
#
|
91
|
-
safe_list_sanitizer
|
73
|
+
# the sanitizer can also sanitize css
|
74
|
+
safe_list_sanitizer.sanitize_css('background-color: #000;')
|
92
75
|
```
|
93
76
|
|
94
77
|
### Scrubbers
|
95
78
|
|
96
79
|
Scrubbers are objects responsible for removing nodes or attributes you don't want in your HTML document.
|
97
80
|
|
98
|
-
This gem includes two scrubbers `Rails::
|
81
|
+
This gem includes two scrubbers `Rails::HTML::PermitScrubber` and `Rails::HTML::TargetScrubber`.
|
99
82
|
|
100
|
-
#### `Rails::
|
83
|
+
#### `Rails::HTML::PermitScrubber`
|
101
84
|
|
102
85
|
This scrubber allows you to permit only the tags and attributes you want.
|
103
86
|
|
104
87
|
```ruby
|
105
|
-
scrubber = Rails::
|
88
|
+
scrubber = Rails::HTML::PermitScrubber.new
|
106
89
|
scrubber.tags = ['a']
|
107
90
|
|
108
91
|
html_fragment = Loofah.fragment('<a><img/ ></a>')
|
@@ -113,14 +96,14 @@ html_fragment.to_s # => "<a></a>"
|
|
113
96
|
By default, inner content is left, but it can be removed as well.
|
114
97
|
|
115
98
|
```ruby
|
116
|
-
scrubber = Rails::
|
99
|
+
scrubber = Rails::HTML::PermitScrubber.new
|
117
100
|
scrubber.tags = ['a']
|
118
101
|
|
119
102
|
html_fragment = Loofah.fragment('<a><span>text</span></a>')
|
120
103
|
html_fragment.scrub!(scrubber)
|
121
104
|
html_fragment.to_s # => "<a>text</a>"
|
122
105
|
|
123
|
-
scrubber = Rails::
|
106
|
+
scrubber = Rails::HTML::PermitScrubber.new(prune: true)
|
124
107
|
scrubber.tags = ['a']
|
125
108
|
|
126
109
|
html_fragment = Loofah.fragment('<a><span>text</span></a>')
|
@@ -128,16 +111,16 @@ html_fragment.scrub!(scrubber)
|
|
128
111
|
html_fragment.to_s # => "<a></a>"
|
129
112
|
```
|
130
113
|
|
131
|
-
#### `Rails::
|
114
|
+
#### `Rails::HTML::TargetScrubber`
|
132
115
|
|
133
116
|
Where `PermitScrubber` picks out tags and attributes to permit in sanitization,
|
134
|
-
`Rails::
|
117
|
+
`Rails::HTML::TargetScrubber` targets them for removal. See https://github.com/flavorjones/loofah/blob/main/lib/loofah/html5/safelist.rb for the tag list.
|
135
118
|
|
136
119
|
**Note:** by default, it will scrub anything that is not part of the permitted tags from
|
137
120
|
loofah `HTML5::Scrub.allowed_element?`.
|
138
121
|
|
139
122
|
```ruby
|
140
|
-
scrubber = Rails::
|
123
|
+
scrubber = Rails::HTML::TargetScrubber.new
|
141
124
|
scrubber.tags = ['img']
|
142
125
|
|
143
126
|
html_fragment = Loofah.fragment('<a><img/ ></a>')
|
@@ -148,26 +131,27 @@ html_fragment.to_s # => "<a></a>"
|
|
148
131
|
Similarly to `PermitScrubber`, nodes can be fully pruned.
|
149
132
|
|
150
133
|
```ruby
|
151
|
-
scrubber = Rails::
|
134
|
+
scrubber = Rails::HTML::TargetScrubber.new
|
152
135
|
scrubber.tags = ['span']
|
153
136
|
|
154
137
|
html_fragment = Loofah.fragment('<a><span>text</span></a>')
|
155
138
|
html_fragment.scrub!(scrubber)
|
156
139
|
html_fragment.to_s # => "<a>text</a>"
|
157
140
|
|
158
|
-
scrubber = Rails::
|
141
|
+
scrubber = Rails::HTML::TargetScrubber.new(prune: true)
|
159
142
|
scrubber.tags = ['span']
|
160
143
|
|
161
144
|
html_fragment = Loofah.fragment('<a><span>text</span></a>')
|
162
145
|
html_fragment.scrub!(scrubber)
|
163
146
|
html_fragment.to_s # => "<a></a>"
|
164
147
|
```
|
148
|
+
|
165
149
|
#### Custom Scrubbers
|
166
150
|
|
167
151
|
You can also create custom scrubbers in your application if you want to.
|
168
152
|
|
169
153
|
```ruby
|
170
|
-
class CommentScrubber < Rails::
|
154
|
+
class CommentScrubber < Rails::HTML::PermitScrubber
|
171
155
|
def initialize
|
172
156
|
super
|
173
157
|
self.tags = %w( form script comment blockquote )
|
@@ -180,7 +164,7 @@ class CommentScrubber < Rails::Html::PermitScrubber
|
|
180
164
|
end
|
181
165
|
```
|
182
166
|
|
183
|
-
See `Rails::
|
167
|
+
See `Rails::HTML::PermitScrubber` documentation to learn more about which methods can be overridden.
|
184
168
|
|
185
169
|
#### Custom Scrubber in a Rails app
|
186
170
|
|
@@ -190,26 +174,98 @@ Using the `CommentScrubber` from above, you can use this in a Rails view like so
|
|
190
174
|
<%= sanitize @comment, scrubber: CommentScrubber.new %>
|
191
175
|
```
|
192
176
|
|
177
|
+
### A note on HTML entities
|
178
|
+
|
179
|
+
__Rails HTML sanitizers are intended to be used by the view layer, at page-render time. They are *not* intended to sanitize persisted strings that will be sanitized *again* at page-render time.__
|
180
|
+
|
181
|
+
Proper HTML sanitization will replace some characters with HTML entities. For example, text containing a `<` character will be updated to contain `<` to ensure that the markup is well-formed.
|
182
|
+
|
183
|
+
This is important to keep in mind because __HTML entities will render improperly if they are sanitized twice.__
|
184
|
+
|
185
|
+
|
186
|
+
#### A concrete example showing the problem that can arise
|
187
|
+
|
188
|
+
Imagine the user is asked to enter their employer's name, which will appear on their public profile page. Then imagine they enter `JPMorgan Chase & Co.`.
|
189
|
+
|
190
|
+
If you sanitize this before persisting it in the database, the stored string will be `JPMorgan Chase & Co.`
|
191
|
+
|
192
|
+
When the page is rendered, if this string is sanitized a second time by the view layer, the HTML will contain `JPMorgan Chase &amp; Co.` which will render as "JPMorgan Chase &amp; Co.".
|
193
|
+
|
194
|
+
Another problem that can arise is rendering the sanitized string in a non-HTML context (for example, if it ends up being part of an SMS message). In this case, it may contain inappropriate HTML entities.
|
195
|
+
|
196
|
+
|
197
|
+
#### Suggested alternatives
|
198
|
+
|
199
|
+
You might simply choose to persist the untrusted string as-is (the raw input), and then ensure that the string will be properly sanitized by the view layer.
|
200
|
+
|
201
|
+
That raw string, if rendered in an non-HTML context (like SMS), must also be sanitized by a method appropriate for that context. You may wish to look into using [Loofah](https://github.com/flavorjones/loofah) or [Sanitize](https://github.com/rgrove/sanitize) to customize how this sanitization works, including omitting HTML entities in the final string.
|
202
|
+
|
203
|
+
If you really want to sanitize the string that's stored in your database, you may wish to look into [Loofah::ActiveRecord](https://github.com/flavorjones/loofah-activerecord) rather than use the Rails HTML sanitizers.
|
204
|
+
|
205
|
+
|
206
|
+
### A note on module names
|
207
|
+
|
208
|
+
In versions < 1.6, the only module defined by this library was `Rails::Html`. Starting in 1.6, we define three additional modules:
|
209
|
+
|
210
|
+
- `Rails::HTML` for general functionality (replacing `Rails::Html`)
|
211
|
+
- `Rails::HTML4` containing sanitizers that parse content as HTML4
|
212
|
+
- `Rails::HTML5` containing sanitizers that parse content as HTML5 (if supported)
|
213
|
+
|
214
|
+
The following aliases are maintained for backwards compatibility:
|
215
|
+
|
216
|
+
- `Rails::Html` points to `Rails::HTML`
|
217
|
+
- `Rails::HTML::FullSanitizer` points to `Rails::HTML4::FullSanitizer`
|
218
|
+
- `Rails::HTML::LinkSanitizer` points to `Rails::HTML4::LinkSanitizer`
|
219
|
+
- `Rails::HTML::SafeListSanitizer` points to `Rails::HTML4::SafeListSanitizer`
|
220
|
+
|
221
|
+
|
222
|
+
## Installation
|
223
|
+
|
224
|
+
Add this line to your application's Gemfile:
|
225
|
+
|
226
|
+
gem 'rails-html-sanitizer'
|
227
|
+
|
228
|
+
And then execute:
|
229
|
+
|
230
|
+
$ bundle
|
231
|
+
|
232
|
+
Or install it yourself as:
|
233
|
+
|
234
|
+
$ gem install rails-html-sanitizer
|
235
|
+
|
236
|
+
|
237
|
+
## Support matrix
|
238
|
+
|
239
|
+
| branch | ruby support | actively maintained | security support |
|
240
|
+
|--------|--------------|---------------------|----------------------------------------|
|
241
|
+
| 1.6.x | >= 2.7 | yes | yes |
|
242
|
+
| 1.5.x | >= 2.5 | no | while Rails 6.1 is in security support |
|
243
|
+
| 1.4.x | >= 1.8.7 | no | no |
|
244
|
+
|
245
|
+
|
193
246
|
## Read more
|
194
247
|
|
195
248
|
Loofah is what underlies the sanitizers and scrubbers of rails-html-sanitizer.
|
249
|
+
|
196
250
|
- [Loofah and Loofah Scrubbers](https://github.com/flavorjones/loofah)
|
197
251
|
|
198
252
|
The `node` argument passed to some methods in a custom scrubber is an instance of `Nokogiri::XML::Node`.
|
253
|
+
|
199
254
|
- [`Nokogiri::XML::Node`](https://nokogiri.org/rdoc/Nokogiri/XML/Node.html)
|
200
255
|
- [Nokogiri](http://nokogiri.org)
|
201
256
|
|
202
|
-
## Contributing to Rails Html Sanitizers
|
203
257
|
|
204
|
-
|
258
|
+
## Contributing to Rails HTML Sanitizers
|
259
|
+
|
260
|
+
Rails HTML Sanitizers is work of many contributors. You're encouraged to submit pull requests, propose features and discuss issues.
|
205
261
|
|
206
262
|
See [CONTRIBUTING](CONTRIBUTING.md).
|
207
263
|
|
208
264
|
### Security reports
|
209
265
|
|
210
|
-
Trying to report a possible security vulnerability in this project? Please
|
211
|
-
|
212
|
-
guidelines about how to proceed.
|
266
|
+
Trying to report a possible security vulnerability in this project? Please check out the [Rails project's security policy](https://rubyonrails.org/security) for instructions.
|
267
|
+
|
213
268
|
|
214
269
|
## License
|
215
|
-
|
270
|
+
|
271
|
+
Rails HTML Sanitizers is released under the [MIT License](MIT-LICENSE).
|