There is a security advisory for the sanitize gem.
Annoyingly, it is unlikely that we can update the gem easily (refer to and its pull request for more information), so we'll have to use the workaround mentioned.
To test, we’ll probably want to try creating a work with an embed (iframe in particular, so YouTube should be a good test) and our HTML regression test doc, located on the “HTML Tag Regression” page on the internal wiki.
Embed from YouTube looks good!
With the HTML Tag Regression doc, the name attribute was removed from the span when the document doesn't suggest that’s expected, but I think the document is wrong: the code only allows name on a tags, and that’s not a recent change.
I also noticed the text for the script tag wasn’t still sticking around as indicated in <script>script tag, this text is still here</script><noscript>noscript</noscript>. This is different from production, but it is the correct behavior now: the workaround for this security issue is to remove any content inside script or noscript tags.
So looks good, basically!
Posted a work with this content:
We ended up with (the element inside iframe is escaped):