Make linkify return an HTML safe result for unsafe inputs

Fixes #2567
2020-03-22 12:47:56 +00:00 · 2020-03-22 12:47:56 +00:00 · e693063fa5
commit e693063fa5
parent 3184bec5ae
2 changed files with 9 additions and 9 deletions
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -5,7 +5,7 @@ module ApplicationHelper
    if text.html_safe?
      Rinku.auto_link(text, :urls, tag_builder.tag_options(:rel => "nofollow")).html_safe
    else
-      Rinku.auto_link(text, :urls, tag_builder.tag_options(:rel => "nofollow"))
+      Rinku.auto_link(ERB::Util.h(text), :urls, tag_builder.tag_options(:rel => "nofollow")).html_safe
    end
  end