From d0dd4d19f8965419bd23cb2335a103572723c938 Mon Sep 17 00:00:00 2001 From: Ian James Date: Mon, 2 Nov 2020 14:57:17 +0000 Subject: [PATCH 1/2] Swap sanitize for raw in detail guide template The `sanitize` method was stripping out tables for reasons. This replaces it with the slightly more risky `raw` method that doesn't break the markup. Using `sanitize`s allow list meant listing most of the HTML elements, and introducing a risk of further breakages if a element is accidently left out of the allow list. --- app/views/content_items/detailed_guide.html.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/content_items/detailed_guide.html.erb b/app/views/content_items/detailed_guide.html.erb index 9b418a019..d0f81bd60 100644 --- a/app/views/content_items/detailed_guide.html.erb +++ b/app/views/content_items/detailed_guide.html.erb @@ -30,7 +30,7 @@ } %> <%= render 'govuk_publishing_components/components/govspeak', {} do %> - <%= sanitize(@content_item.govspeak_body[:content]) %> + <%= raw(@content_item.govspeak_body[:content]) %> <% end %>
From 5c132c6a4b0f024991e9ec469434d67f08940d51 Mon Sep 17 00:00:00 2001 From: Ian James Date: Mon, 2 Nov 2020 15:07:22 +0000 Subject: [PATCH 2/2] Swap sanitize for raw in body with related links partial --- app/views/content_items/_body_with_related_links.html.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/views/content_items/_body_with_related_links.html.erb b/app/views/content_items/_body_with_related_links.html.erb index 6c1768c02..92547232c 100644 --- a/app/views/content_items/_body_with_related_links.html.erb +++ b/app/views/content_items/_body_with_related_links.html.erb @@ -13,7 +13,7 @@ direction: page_text_direction, disable_youtube_expansions: true, } do %> - <%= sanitize(@content_item.body) %> + <%= raw(@content_item.body) %> <% end %> <% if @content_item.last_updated && @content_item.schema_name == "help_page" %>