From 235da8b04a4725f97c73758418343a49c2bb59f0 Mon Sep 17 00:00:00 2001
From: Martin <martin@sharypic.com>
Date: Thu, 1 Dec 2022 17:36:53 +0100
Subject: [PATCH] amelioration(sanitize): assainie aussi les balises <img>

---
 config/application.rb                              | 2 +-
 spec/components/dossiers/message_component_spec.rb | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/config/application.rb b/config/application.rb
index fd58bf731..9e206a487 100644
--- a/config/application.rb
+++ b/config/application.rb
@@ -41,7 +41,7 @@ module TPS
     config.assets.precompile += ['.woff']
 
     default_allowed_tags = ActionView::Base.sanitized_allowed_tags
-    config.action_view.sanitized_allowed_tags = default_allowed_tags + ['u']
+    config.action_view.sanitized_allowed_tags = default_allowed_tags + ['u'] - ['img']
 
     # ActionDispatch's IP spoofing detection is quite limited, and often rejects
     # legitimate requests from misconfigured proxies (such as mobile telcos).
diff --git a/spec/components/dossiers/message_component_spec.rb b/spec/components/dossiers/message_component_spec.rb
index b159912c2..e6b061548 100644
--- a/spec/components/dossiers/message_component_spec.rb
+++ b/spec/components/dossiers/message_component_spec.rb
@@ -16,6 +16,11 @@ RSpec.describe Dossiers::MessageComponent, type: :component do
 
   it { is_expected.to have_button("Répondre") }
 
+  context 'escape <img> tag' do
+    before { commentaire.update(body: '<img src="demarches-simplifiees.fr" />Hello') }
+    it { is_expected.not_to have_selector('img[src="demarches-simplifiees.fr"]') }
+  end
+
   context 'with a seen_at after commentaire created_at' do
     let(:seen_at) { commentaire.created_at + 1.hour  }