Merge pull request rails#54567 from flavorjones/flavorjones-document-sanitizer

rafaelfranca · web-flow · commit 847753ecd134 · 2025-02-18T14:06:12.000-08:00
doc: Explicitly state that modifying sanitizer allowlists is unsafe
diff --git a/actionview/lib/action_view/helpers/sanitize_helper.rb b/actionview/lib/action_view/helpers/sanitize_helper.rb
@@ -24,6 +24,12 @@ module SanitizeHelper
       #
       # Custom sanitization rules can also be provided.
       #
+      # <b>Warning</b>: Adding disallowed tags or attributes to the allowlists may introduce
+      # vulnerabilities into your application. Please rely on the default allowlists whenever
+      # possible, because they are curated to maintain security and safety. If you think that the
+      # default allowlists should be expanded, please {open an issue on the rails-html-sanitizer
+      # project}[https://github.com/rails/rails-html-sanitizer/issues].
+      #
       # Please note that sanitizing user-provided text does not guarantee that the
       # resulting markup is valid or even well-formed.
       #

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,12 @@ module SanitizeHelper`
`24`	`24`	`#`
`25`	`25`	`# Custom sanitization rules can also be provided.`
`26`	`26`	`#`
	`27`	`+ # <b>Warning</b>: Adding disallowed tags or attributes to the allowlists may introduce`
	`28`	`+ # vulnerabilities into your application. Please rely on the default allowlists whenever`
	`29`	`+ # possible, because they are curated to maintain security and safety. If you think that the`
	`30`	`+ # default allowlists should be expanded, please {open an issue on the rails-html-sanitizer`
	`31`	`+ # project}[https://github.com/rails/rails-html-sanitizer/issues].`
	`32`	`+ #`
`27`	`33`	`# Please note that sanitizing user-provided text does not guarantee that the`
`28`	`34`	`# resulting markup is valid or even well-formed.`
`29`	`35`	`#`