Commit Graph

7 Commits

Author SHA1 Message Date
Mike Dalessio 4579f7cd61 Avoid string manipulation when autolinking.
Instead, let's use a Loofah scrubber which will create DOM nodes
directly. This should be faster and is a tiny bit simpler, as well as
removing a potential HTML injection vector.

Also, add "noreferrer" to all `mailto:` links (already present on URLs).
2025-12-29 12:21:00 -05:00
Mike Dalessio e0c821f69b Autolinking is more robust
and handles URLs with CGI params, recognizes more (and multiple)
trailing punctuation marks including entity-encoded punctuation like
`"`.
2025-12-10 10:42:24 -05:00
Mike Dalessio c5721b8187 Avoid unescaping characters when auto-linking
which could lead to Nokogiri unintentionally parsing tags from a
previously-escaped text node.
2025-12-10 10:38:43 -05:00
Mike Dalessio 00eee29837 Validate Identity email address
using the "standard" email regexp URI::MailTo::EMAIL_REGEXP. The form
field will validate this in the browser, but if bots are creating
identities, they can put whatever they want in here. So let's add some
protection against that.

The HtmlHelper regex was renamed here to avoid confusing Brakeman,
which does imprecise constant lookup and was confusing the two
constants, one of which uses `\A` and `\z` and the other does
not (intentionally).

ref: https://app.fizzy.do/5986089/cards/3276
2025-12-04 14:01:15 -05:00
Mike Dalessio 1302fe9da2 Autolinking shouldn't include final punctuation. 2025-06-02 14:16:02 -04:00
Jorge Manrubia e973df97e2 Use more complete regexp
https://github.com/basecamp/fizzy/pull/564/files#r2119855866
2025-06-02 11:43:07 +02:00
Jorge Manrubia 5214a74c03 Autolink emails and URLs at rendering time 2025-06-01 22:24:24 +02:00