Check this: https://example.com
), + %(Check this: https://example.com
), format_html("Check this: https://example.com
") assert_equal_html \ - %(Check this: https://example.com/
), + %(Check this: https://example.com/
), format_html("Check this: https://example.com/
") end + test "convert multiple URLs in the same string" do + assert_equal_html \ + %(Visit https://foo.com/. Also see https://bar.com/!), + format_html("Visit https://foo.com/. Also see https://bar.com/!") + end + test "don't include punctuation in URL autolinking" do assert_equal_html \ - %(Check this: https://example.com/!
), + %(Check this: https://example.com/!
), format_html("Check this: https://example.com/!
") assert_equal_html \ - %(Check this: https://example.com/.
), + %(Check this: https://example.com/.
), format_html("Check this: https://example.com/.
") assert_equal_html \ - %(Check this: https://example.com/?
), + %(Check this: https://example.com/?
), format_html("Check this: https://example.com/?
") assert_equal_html \ - %(Check this: https://example.com/,
), + %(Check this: https://example.com/,
), format_html("Check this: https://example.com/,
") assert_equal_html \ - %(Check this: https://example.com/:
), + %(Check this: https://example.com/:
), format_html("Check this: https://example.com/:
") assert_equal_html \ - %(Check this: https://example.com/;
), + %(Check this: https://example.com/;
), format_html("Check this: https://example.com/;
") assert_equal_html \ - %(Check this: https://example.com/"
), + %(Check this: https://example.com/"
), format_html("Check this: https://example.com/\"
") assert_equal_html \ - %(Check this: https://example.com/'
), + %(Check this: https://example.com/'
), format_html("Check this: https://example.com/'
") # trailing entities that decode to punctuation # use assert_equal and not assert_equal_html to make sure we're getting entities correct assert_equal \ - %(Check this: https://example.com/<
), + %(Check this: https://example.com/<
), format_html("Check this: https://example.com/<
") assert_equal \ - %(Check this: https://example.com/>
), + %(Check this: https://example.com/>
), format_html("Check this: https://example.com/>
") assert_equal \ - %(Check this: https://example.com/"
), + %(Check this: https://example.com/"
), format_html("Check this: https://example.com/"
") # multiple punctuation characters including entities assert_equal_html \ - %(Check this: https://example.com/!?;
), + %(Check this: https://example.com/!?;
), format_html("Check this: https://example.com/!?;
") assert_equal_html \ - %(<img src="https://example.com/">), + %(<img src="https://example.com/">), format_html(%(<img src="https://example.com/">)) assert_equal_html \ - %(<img src="https://example.com/"!>), + %(<img src="https://example.com/"!>), format_html(%(<img src="https://example.com/"!>)) end + test "make sure the linked content is properly sanitized" do + # https://hackerone.com/reports/3481093 + result = format_html(%(https://google.com/\">test</a><input></input>)) + assert_no_match(//i, result, "should not create an input element") + + result = format_html(%(https://google.com/\"><script>alert('xss')</script>)) + assert_no_match(/