add tests for surfacing issue, check if passed text is a range and if so change to string

nacengineer · nacengineer · commit e46ad490095e · 2025-04-17T12:03:26.000-05:00
diff --git a/lib/rails/html/sanitizer.rb b/lib/rails/html/sanitizer.rb
@@ -34,6 +34,7 @@ module Concern
       module ComposedSanitize
         def sanitize(html, options = {})
           return unless html
+          html = html.instance_of?(Range) ? html.to_s : html
           return html if html.empty?
 
           serialize(scrub(parse_fragment(html), options))
diff --git a/test/sanitizer_test.rb b/test/sanitizer_test.rb
@@ -137,6 +137,16 @@ def test_strip_cdata
       assert_includes(acceptable_results, result)
     end
 
+    def test_strip_passed_passed_duck_typed_range
+      input = 2000..2005
+      result = full_sanitize(input)
+      acceptable_results = [
+        "2000..2005",
+      ]
+
+      assert_includes(acceptable_results, result)
+    end
+
     def test_strip_blank_string
       assert_nil full_sanitize(nil)
       assert_equal "", full_sanitize("")
@@ -211,6 +221,10 @@ def test_strip_links_with_unclosed_tags
       assert_equal "", link_sanitize("<a<a")
     end
 
+    def test_strip_links_with_passed_duck_typed_range
+      assert_equal "2001..2005", link_sanitize(2001..2005)
+    end
+
     def test_strip_links_with_plaintext
       assert_equal "Don't touch me", link_sanitize("Don't touch me")
     end
@@ -295,6 +309,10 @@ def test_sanitize_form
       assert_sanitized "<form action=\"/foo/bar\" method=\"post\"><input></form>", ""
     end
 
+    def test_sanitize_passed_duck_typed_range
+      assert_sanitized 2001..2005, "2001..2005"
+    end
+
     def test_sanitize_plaintext
       # note that the `plaintext` tag has been deprecated since HTML 2
       # https://developer.mozilla.org/en-US/docs/Web/HTML/Element/plaintext
@@ -306,7 +324,19 @@ def test_sanitize_plaintext
         # xerces+nekohtml-unit
         "&lt;span&gt;foo&lt;/span&gt;&lt;/plaintext&gt;",
         # xerces+cyberneko
-        "&lt;span&gt;foo&lt;/span&gt;"
+        "&lt;span&gt;foo&lt;/span&gt;",
+      ]
+
+      assert_includes(acceptable_results, result)
+    end
+
+    def test_safe_sanitize_passed_duck_typed_range
+      # note that the `plaintext` tag has been deprecated since HTML 2
+      # https://developer.mozilla.org/en-US/docs/Web/HTML/Element/plaintext
+      input = 2001..2005
+      result = safe_list_sanitize(input)
+      acceptable_results = [
+        "2001..2005",
       ]
 
       assert_includes(acceptable_results, result)
