process_attributes_for
Bug that causes escape buildup
There is a bug in this meethod that causes an escape build up when you have links or image urls for example with ampersands in them. Over time, it goes something like this:
& -> & -> & -> & -> & -> etc
This breaks the url so links and images are not clickable/viewable. To fix, simply unescape before you reescape. Works like a charm. We have the following in an initializer, “html_sanitizer_patch.rb”, that fixes this behaviour.
module HTML class WhiteListSanitizer < Sanitizer protected def process_attributes_for(node, options) return unless node.attributes node.attributes.keys.each do |attr_name| value = node.attributes[attr_name].to_s if !options[:attributes].include?(attr_name) || contains_bad_protocols?(attr_name, value) node.attributes.delete(attr_name) else node.attributes[attr_name] = attr_name == 'style' ? sanitize_css(value) : CGI::escapeHTML(CGI::unescapeHTML(value)) end end end end end