require "test_helper" class HtmlHelperTest < ActionView::TestCase test "convert URLs into anchor tags" do assert_equal_html \ %(

Check this: https://example.com

), format_html("

Check this: https://example.com

") assert_equal_html \ %(

Check this: https://example.com/

), format_html("

Check this: https://example.com/

") end test "convert multiple URLs in the same string" do assert_equal_html \ %(Visit https://foo.com/. Also see https://bar.com/!), format_html("Visit https://foo.com/. Also see https://bar.com/!") end test "don't include punctuation in URL autolinking" do assert_equal_html \ %(

Check this: https://example.com/!

), format_html("

Check this: https://example.com/!

") assert_equal_html \ %(

Check this: https://example.com/.

), format_html("

Check this: https://example.com/.

") assert_equal_html \ %(

Check this: https://example.com/?

), format_html("

Check this: https://example.com/?

") assert_equal_html \ %(

Check this: https://example.com/,

), format_html("

Check this: https://example.com/,

") assert_equal_html \ %(

Check this: https://example.com/:

), format_html("

Check this: https://example.com/:

") assert_equal_html \ %(

Check this: https://example.com/;

), format_html("

Check this: https://example.com/;

") assert_equal_html \ %(

Check this: https://example.com/"

), format_html("

Check this: https://example.com/\"

") assert_equal_html \ %(

Check this: https://example.com/'

), format_html("

Check this: https://example.com/'

") # trailing entities that decode to punctuation # use assert_equal and not assert_equal_html to make sure we're getting entities correct assert_equal \ %(

Check this: https://example.com/<

), format_html("

Check this: https://example.com/<

") assert_equal \ %(

Check this: https://example.com/>

), format_html("

Check this: https://example.com/>

") assert_equal \ %(

Check this: https://example.com/"

), format_html("

Check this: https://example.com/"

") # multiple punctuation characters including entities assert_equal_html \ %(

Check this: https://example.com/!?;

), format_html("

Check this: https://example.com/!?;

") assert_equal_html \ %(<img src="https://example.com/">), format_html(%(<img src="https://example.com/">)) assert_equal_html \ %(<img src="https://example.com/"!>), format_html(%(<img src="https://example.com/"!>)) end test "make sure the linked content is properly sanitized" do # https://hackerone.com/reports/3481093 result = format_html(%(https://google.com/\">test</a><input></input>)) assert_no_match(//i, result, "should not create an input element") result = format_html(%(https://google.com/\"><script>alert('xss')</script>)) assert_no_match(/" }) end test "card_html_title escapes HTML inside backticks" do assert_equal "<script>", card_html_title(cards(:logo).tap { _1.title = "`