diff --git a/lib/rails/html/sanitizer.rb b/lib/rails/html/sanitizer.rb
index 13fb963..5633ca1 100644
--- a/lib/rails/html/sanitizer.rb
+++ b/lib/rails/html/sanitizer.rb
@@ -141,25 +141,8 @@ def sanitize_css(style_string)
private
- def loofah_using_html5?
- # future-proofing, see https://github.com/flavorjones/loofah/pull/239
- Loofah.respond_to?(:html5_mode?) && Loofah.html5_mode?
- end
-
- def remove_safelist_tag_combinations(tags)
- if !loofah_using_html5? && tags.include?("select") && tags.include?("style")
- warn("WARNING: #{self.class}: removing 'style' from safelist, should not be combined with 'select'")
- tags.delete("style")
- end
- tags
- end
-
def allowed_tags(options)
- if options[:tags]
- remove_safelist_tag_combinations(options[:tags])
- else
- self.class.allowed_tags
- end
+ options[:tags] || self.class.allowed_tags
end
def allowed_attributes(options)
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
index 7a60956..99221db 100644
--- a/test/sanitizer_test.rb
+++ b/test/sanitizer_test.rb
@@ -581,25 +581,6 @@ def test_exclude_node_type_comment
assert_equal("
text
text", safe_list_sanitize("
text
text"))
end
- def test_disallow_the_dangerous_safelist_combination_of_select_and_style
- input = ""
- tags = ["select", "style"]
- warning = /WARNING: Rails::Html::SafeListSanitizer: removing 'style' from safelist/
- sanitized = nil
- invocation = Proc.new { sanitized = safe_list_sanitize(input, tags: tags) }
-
- if html5_mode?
- # if Loofah is using an HTML5 parser,
- # then "style" should be removed by the parser as an invalid child of "select"
- assert_silent(&invocation)
- else
- # if Loofah is using an HTML4 parser,
- # then SafeListSanitizer should remove "style" from the safelist
- assert_output(nil, warning, &invocation)
- end
- refute_includes(sanitized, "style")
- end
-
%w[text/plain text/css image/png image/gif image/jpeg].each do |mediatype|
define_method "test_mediatype_#{mediatype}_allowed" do
input = %Q()
@@ -727,8 +708,4 @@ def libxml_2_9_14_recovery_lt_bang?
# then reverted in 2.10.0, see https://gitlab.gnome.org/GNOME/libxml2/-/issues/380
Nokogiri.method(:uses_libxml?).arity == -1 && Nokogiri.uses_libxml?("= 2.9.14")
end
-
- def html5_mode?
- ::Loofah.respond_to?(:html5_mode?) && ::Loofah.html5_mode?
- end
end