SECURITY: Correctly parse URLs in chat excerpts

plugins/chat/app/models/chat/message.rb

@@ -122,7 +122,14 @@ module Chat
 
     def build_excerpt
       # just show the URL if the whole message is a URL, because we cannot excerpt oneboxes
-      return message if UrlHelper.relaxed_parse(message).is_a?(URI)
+      urls = PrettyText.extract_links(cooked).map(&:url)
+      if urls.present?
+        regex = %r{^[^:]+://}
+        clean_urls = urls.map { |url| url.sub(regex, "") }
+        if message.gsub(regex, "").split.sort == clean_urls.sort
+          return PrettyText.excerpt(urls.join(" "), EXCERPT_LENGTH)
+        end
+      end
 
       # upload-only messages are better represented as the filename
       return uploads.first.original_filename if cooked.blank? && uploads.present?

plugins/chat/spec/system/chat_channel_spec.rb

@@ -296,6 +296,15 @@ RSpec.describe "Chat channel", type: :system do
       )
     end
 
+    it "renders escaped HTML when including a #" do
+      update_message!(message_2, user: other_user, text: "#general <abbr>not abbr</abbr>")
+      chat_page.visit_channel(channel_1)
+
+      expect(find(".chat-reply .chat-reply__excerpt")["innerHTML"].strip).to eq(
+        "#general &lt;abbr&gt;not abbr&lt;/abbr&gt;",
+      )
+    end
+
     it "renders safe HTML like mentions (which are just links) in the reply-to" do
       update_message!(
         message_2,