Merge pull request #609 from ZmagoD/zd_SCI_1248_v2

fixes input sanitize method [fixes SCI-1248]

Gemfile

@@ -14,6 +14,7 @@ gem 'bootstrap_form'
 gem 'yomu'
 gem 'font-awesome-rails', '~> 4.6'
 gem 'recaptcha', require: 'recaptcha/rails'
+gem 'sanitize', '~> 4.4'
 
 # JS datetime library, requirement of datetime picker
 gem 'momentjs-rails', '>= 2.9.0'

Gemfile.lock

@@ -103,6 +103,7 @@ GEM
     colorize (0.8.1)
     commit_param_routing (0.0.1)
     concurrent-ruby (1.0.0)
+    crass (1.0.2)
     debug_inspector (0.0.2)
     deface (1.0.2)
       colorize (>= 0.5.8)
@@ -192,6 +193,8 @@ GEM
     nokogiri (1.6.8)
       mini_portile2 (~> 2.1.0)
       pkg-config (~> 1.1.7)
+    nokogumbo (1.4.10)
+      nokogiri
     oj (2.17.4)
     orm_adapter (0.5.0)
     paperclip (4.3.2)
@@ -266,6 +269,10 @@ GEM
     ruby-graphviz (1.2.2)
     ruby-progressbar (1.8.1)
     rubyzip (1.1.7)
+    sanitize (4.4.0)
+      crass (~> 1.0.2)
+      nokogiri (>= 1.4.4)
+      nokogumbo (~> 1.4.1)
     sass (3.4.23)
     sass-rails (5.0.4)
       railties (>= 4.0.0, < 5.0)
@@ -387,6 +394,7 @@ DEPENDENCIES
   rubocop
   ruby-graphviz (~> 1.2)
   rubyzip
+  sanitize (~> 4.4)
   sass-rails (~> 5.0)
   scss_lint
   sdoc (~> 0.4.0)

app/helpers/input_sanitize_helper.rb

@@ -1,13 +1,15 @@
+require 'sanitize'
+
 module InputSanitizeHelper
-  def sanitize_input(
+  # Rails default ActionController::Base.helpers.sanitize method call
+  # the ActiveRecord connecton method on the caller object which in
+  # our cases throws an error when called from not ActiveRecord objects
+  # such as SamplesDatatables
+  def sanitize_input(text, tags = [], attributes = [])
+    Sanitize.fragment(
       text,
-    tags = [],
+      elements: Constants::WHITELISTED_TAGS + tags,
-    attributes = []
+      attributes: { all: Constants::WHITELISTED_ATTRIBUTES + attributes }
-  )
-    ActionController::Base.helpers.sanitize(
-      text,
-      tags: Constants::WHITELISTED_TAGS + tags,
-      attributes: Constants::WHITELISTED_ATTRIBUTES + attributes
     )
   end