diff --git a/config/application.rb b/config/application.rb
index fd58bf731..9e206a487 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -41,7 +41,7 @@ module TPS
config.assets.precompile += ['.woff']
default_allowed_tags = ActionView::Base.sanitized_allowed_tags
- config.action_view.sanitized_allowed_tags = default_allowed_tags + ['u']
+ config.action_view.sanitized_allowed_tags = default_allowed_tags + ['u'] - ['img']
# ActionDispatch's IP spoofing detection is quite limited, and often rejects
# legitimate requests from misconfigured proxies (such as mobile telcos).
diff --git a/spec/components/dossiers/message_component_spec.rb b/spec/components/dossiers/message_component_spec.rb
index b159912c2..e6b061548 100644
--- a/spec/components/dossiers/message_component_spec.rb
+++ b/spec/components/dossiers/message_component_spec.rb
@@ -16,6 +16,11 @@ RSpec.describe Dossiers::MessageComponent, type: :component do
it { is_expected.to have_button("RĂ©pondre") }
+ context 'escape tag' do
+ before { commentaire.update(body: 'Hello') }
+ it { is_expected.not_to have_selector('img[src="demarches-simplifiees.fr"]') }
+ end
+
context 'with a seen_at after commentaire created_at' do
let(:seen_at) { commentaire.created_at + 1.hour }