Leave whitespaced entities intact

lib/sanitize/rails/engine.rb

@@ -26,7 +26,8 @@ def config
 	@_config ||= {
 	  :elements => ::ActionView::Base.sanitized_allowed_tags.to_a,
 	  :attributes => { :all => ::ActionView::Base.sanitized_allowed_attributes.to_a },
-	  :protocols  => { :all => ::ActionView::Base.sanitized_allowed_protocols.to_a }
+	  :protocols  => { :all => ::ActionView::Base.sanitized_allowed_protocols.to_a },
+	  :entities_whitelist => {}
 	}
       end
     else
@@ -64,7 +65,7 @@ def callback_for(options) #:nodoc:
       point = (options[:on] || 'save').to_s
 
       unless %w( save create ).include?(point)
-        raise ArgumentError, "Invalid callback point #{point}, valid ones are :save and :create"
+	raise ArgumentError, "Invalid callback point #{point}, valid ones are :save and :create"
       end
 
       "before_#{point}".intern
@@ -76,8 +77,16 @@ def method_for(fields) #:nodoc:
 
     private
 
+    def decode_whitelistested_entities(string)
+      @_config[:entities_whitelist].each do |entity, decoded_value|
+	string.gsub!(entity.to_s, decoded_value.to_s)
+      end
+      string
+    end
+
     def cleaned_fragment(string)
-      cleaner.fragment(string)
+      sanitized_string = cleaner.fragment(string)
+      decode_whitelistested_entities(sanitized_string) unless @_config[:entities_whitelist].empty?
     end
   end
 end

test/sanitize_rails_engine_test.rb

@@ -53,6 +53,13 @@ def test_clean_not_producing_malicious_html_entities
     assert_equal string, "<script>hello & world</script>"
   end
 
+  def test_clean_not_making_explicit_html_entities
+    string = %Q|<script>hello & world</script>|
+    @engine.configure(entities_whitelist: { '&amp;': '&' })
+    @engine.clean! string
+    assert_equal string, "hello & world"
+  end
+
   def test_clean_making_html_entities
     string = %Q|<script>hello & world</script>|
     @engine.clean! string