From 19b4364d791cb4822d0ca4c5c96b67c7846cfd01 Mon Sep 17 00:00:00 2001
From: Robin Ward <robin.ward@gmail.com>
Date: Wed, 17 Sep 2014 12:08:00 -0400
Subject: [PATCH] SECURITY: Stripping links could unescape html fragments

---
 lib/pretty_text.rb                  | 2 +-
 spec/components/pretty_text_spec.rb | 4 ++++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/pretty_text.rb b/lib/pretty_text.rb
index 57c9071e5ab..6d52705a1f8 100644
--- a/lib/pretty_text.rb
+++ b/lib/pretty_text.rb
@@ -250,7 +250,7 @@ module PrettyText
 
     # If the user is not basic, strip links from their bio
     fragment = Nokogiri::HTML.fragment(string)
-    fragment.css('a').each {|a| a.replace(a.text) }
+    fragment.css('a').each {|a| a.replace(a.inner_html) }
     fragment.to_html
   end
 
diff --git a/spec/components/pretty_text_spec.rb b/spec/components/pretty_text_spec.rb
index 90147cfbb9f..e2dce46b1f0 100644
--- a/spec/components/pretty_text_spec.rb
+++ b/spec/components/pretty_text_spec.rb
@@ -218,6 +218,10 @@ describe PrettyText do
     it "strips links but leaves the text content" do
       expect(PrettyText.strip_links("I'm the linked <a href='http://en.wikipedia.org/wiki/Batman'>batman</a>")).to eq("I'm the linked batman")
     end
+
+    it "escapes the text content" do
+      expect(PrettyText.strip_links("I'm the linked <a href='http://en.wikipedia.org/wiki/Batman'>&lt;batman&gt;</a>")).to eq("I'm the linked &lt;batman&gt;")
+    end
   end
 
   describe "make_all_links_absolute" do