Allow ActionText tags in Rails 7.1 with new sanitizers

Question

In Rails 7.0 and earlier, we customized the Trix editor to embed YouTube videos. As is customary, the video will be embedded via an iframe tag. The Rails sanitizer removes this tag as it can be abused to embed malicious websites.

Allowing the tag in config/initializers/action_text.rb used to do the trick.

Rails.application.config.after_initialize do
  ActionText::ContentHelper.allowed_tags << "iframe"
end

Rails 7.1 has a new HTML5 sanitizer, but the old HTML4 one can still be used. This means ActionText::ContentHelper is not yet defined when the application boots, so the snippet above will crash the server. I expected the after_initialize to wait long enough for the sanitizer to be loaded, but no dice.

Unable to load application: NoMethodError: undefined method `<<' for nil:NilClass
config/initializers/action_text.rb:2:in `block in <top (required)>': undefined method `<<' for nil:NilClass (NoMethodError)

Any ideas on how to allow sanitized tags in Rails 7.1?

Answer 1

I was stuck with the same problem. According to ActionView 7.1.0 CHANGELOG it's nil until is set in the application.

The Rails 7.1 configuration will set this to Rails::HTML5::Sanitizer when it is supported, and fall back to Rails::HTML4::Sanitizer. Previous configurations default to Rails::HTML4::Sanitizer.

As a result of this change, the defaults for ActionText::ContentHelper.allowed_tags and .allowed_attributes are applied at runtime, so the value of these attributes is now 'nil' unless set by the application. You may call sanitizer_allowed_tags or sanitizer_allowed_attributes to inspect the tags and attributes being allowed by the sanitizer.

So, I decided to copy all tags from 'rails-html-sanitizer' gem to config/initializers/action_text.rb and also added my specific tags there

Rails.application.config.after_initialize do
  ActionText::ContentHelper.allowed_tags = Set.new([
    "a",
    "abbr",
    "acronym",
    "address",
    ...  # more tags go here
  ]).freeze
end

It did the job.

Answer 2

We ran into this recently as well. I still feel like I'm missing something in the documentation ...

We took a hybrid of the other solutions and went with the following knowing that we're using the rails 7.1 defaults in our config:

# config/initializers/action_text.rb
Rails.application.config.after_initialize do
  default_allowed_attributes = Rails::HTML5::Sanitizer.safe_list_sanitizer.allowed_attributes + ActionText::Attachment::ATTRIBUTES.to_set
  custom_allowed_attributes = Set.new(%w[controls data-controller role style])
  ActionText::ContentHelper.allowed_attributes = (default_allowed_attributes + custom_allowed_attributes).freeze

  default_allowed_tags = Rails::HTML5::Sanitizer.safe_list_sanitizer.allowed_tags + Set.new([ActionText::Attachment.tag_name, "figure", "figcaption"])
  custom_allowed_tags = Set.new(%w[audio video source])
  ActionText::ContentHelper.allowed_tags = (default_allowed_tags + custom_allowed_tags).freeze
end

Basically we took the defaults we found via the HTML5 sanitizer and added them to our custom tags.

I'm sure there is a way to access the configured sanitizer, however we felt this made it very explicit what we were doing. I think this PR comment was along the right track for the dynamic approach: https://github.com/rails/rails/commit/e8137c527dd6bd43f695b472f440cab7466243a6#r128790711

Now everything works like a charm! <3 Rails 7.1

Answer 3

I was struggling with the same thing. I dug into the source and found out that our allowed_tags setting is wrapped by sanitizer_allowed_tags.

You can find that method here on Github. It boils down to this:

ActionText::ContentHelper.sanitizer.class.allowed_tags + [ ActionText::Attachment.tag_name, "figure", "figcaption" ]

That's what Rails actually uses as default for our allowed_tags setting.

So if you want to add "iframe" to that, you can do this in a initializer:

# initializers/whatever.rb
default_allowed_tags = Class.new.include(ActionText::ContentHelper).new.sanitizer_allowed_tags
ActionText::ContentHelper.allowed_tags = default_allowed_tags.add('iframe')

Hope that helps!