cst1/openstreetmap-website
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Make linkify return an HTML safe result for unsafe inputs

Browse source 
Fixes #2567
This commit is contained in:
Tom Hughes 2020-03-22 12:47:56 +00:00
parent 3184bec5ae
commit e693063fa5
2 changed files with 9 additions and 9 deletions
Download patch file Download diff file Expand all files Collapse all files

2
app/helpers/application_helper.rb
View file

@ -5,7 +5,7 @@ module ApplicationHelper
if text.html_safe?
Rinku.auto_link(text, :urls, tag_builder.tag_options(:rel => "nofollow")).html_safe
else
Rinku.auto_link(text, :urls, tag_builder.tag_options(:rel => "nofollow"))
Rinku.auto_link(ERB::Util.h(text), :urls, tag_builder.tag_options(:rel => "nofollow")).html_safe
end
end

16
test/helpers/application_helper_test.rb
View file

@ -13,27 +13,27 @@ class ApplicationHelperTest < ActionView::TestCase
def test_linkify
%w[http://example.com/test ftp://example.com/test https://example.com/test].each do |link|
text = "Test #{link} is made into a link"
text = "Test #{link} is <b>made</b> into a link"
html = linkify(text)
assert_equal false, html.html_safe?
assert_dom_equal "Test <a href=\"#{link}\" rel=\"nofollow\">#{link}</a> is made into a link", html
assert_equal true, html.html_safe?
assert_dom_equal "Test <a href=\"#{link}\" rel=\"nofollow\">#{link}</a> is &lt;b&gt;made&lt;/b&gt; into a link", html
html = linkify(text.html_safe)
assert_equal true, html.html_safe?
assert_dom_equal "Test <a href=\"#{link}\" rel=\"nofollow\">#{link}</a> is made into a link", html
assert_dom_equal "Test <a href=\"#{link}\" rel=\"nofollow\">#{link}</a> is <b>made</b> into a link", html
end
%w[test@example.com mailto:test@example.com].each do |link|
text = "Test #{link} is not made into a link"
text = "Test #{link} is not <b>made</b> into a link"
html = linkify(text)
assert_equal false, html.html_safe?
assert_dom_equal text, html
assert_equal true, html.html_safe?
assert_dom_equal "Test #{link} is not &lt;b&gt;made&lt;/b&gt; into a link", html
html = linkify(text.html_safe)
assert_equal true, html.html_safe?
assert_dom_equal text, html
assert_dom_equal "Test #{link} is not <b>made</b> into a link", html
end
end