From: Tom Hughes <tom@compton.nu>
Date: Sun, 22 Mar 2020 12:47:56 +0000 (+0000)
Subject: Make linkify return an HTML safe result for unsafe inputs
X-Git-Tag: live~2185
X-Git-Url: https://git.openstreetmap.org/rails.git/commitdiff_plain/e693063fa55f613364527abb7dbef0933bfe042e

Make linkify return an HTML safe result for unsafe inputs

Fixes #2567
---

diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb
index 0f2c862e6..79c6e6134 100644
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -5,7 +5,7 @@ module ApplicationHelper
     if text.html_safe?
       Rinku.auto_link(text, :urls, tag_builder.tag_options(:rel => "nofollow")).html_safe
     else
-      Rinku.auto_link(text, :urls, tag_builder.tag_options(:rel => "nofollow"))
+      Rinku.auto_link(ERB::Util.h(text), :urls, tag_builder.tag_options(:rel => "nofollow")).html_safe
     end
   end
 
diff --git a/test/helpers/application_helper_test.rb b/test/helpers/application_helper_test.rb
index 16b1040e5..dc45a6c07 100644
--- a/test/helpers/application_helper_test.rb
+++ b/test/helpers/application_helper_test.rb
@@ -13,27 +13,27 @@ class ApplicationHelperTest < ActionView::TestCase
 
   def test_linkify
     %w[http://example.com/test ftp://example.com/test https://example.com/test].each do |link|
-      text = "Test #{link} is made into a link"
+      text = "Test #{link} is <b>made</b> into a link"
 
       html = linkify(text)
-      assert_equal false, html.html_safe?
-      assert_dom_equal "Test <a href=\"#{link}\" rel=\"nofollow\">#{link}</a> is made into a link", html
+      assert_equal true, html.html_safe?
+      assert_dom_equal "Test <a href=\"#{link}\" rel=\"nofollow\">#{link}</a> is &lt;b&gt;made&lt;/b&gt; into a link", html
 
       html = linkify(text.html_safe)
       assert_equal true, html.html_safe?
-      assert_dom_equal "Test <a href=\"#{link}\" rel=\"nofollow\">#{link}</a> is made into a link", html
+      assert_dom_equal "Test <a href=\"#{link}\" rel=\"nofollow\">#{link}</a> is <b>made</b> into a link", html
     end
 
     %w[test@example.com mailto:test@example.com].each do |link|
-      text = "Test #{link} is not made into a link"
+      text = "Test #{link} is not <b>made</b> into a link"
 
       html = linkify(text)
-      assert_equal false, html.html_safe?
-      assert_dom_equal text, html
+      assert_equal true, html.html_safe?
+      assert_dom_equal "Test #{link} is not &lt;b&gt;made&lt;/b&gt; into a link", html
 
       html = linkify(text.html_safe)
       assert_equal true, html.html_safe?
-      assert_dom_equal text, html
+      assert_dom_equal "Test #{link} is not <b>made</b> into a link", html
     end
   end