diff --git a/app/lib/formatter.rb b/app/lib/formatter.rb
index d9f843f445..575830190d 100644
--- a/app/lib/formatter.rb
+++ b/app/lib/formatter.rb
@@ -137,7 +137,7 @@ class Formatter
suffix = url[prefix.length + 30..-1]
cutoff = url[prefix.length..-1].length > 30
- "#{prefix}#{text}#{suffix}"
+ "#{encode(prefix)}#{encode(text)}#{encode(suffix)}"
end
def hashtag_html(tag)
diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb
index f9b7efac5b..b714b317a3 100644
--- a/spec/lib/formatter_spec.rb
+++ b/spec/lib/formatter_spec.rb
@@ -121,6 +121,22 @@ RSpec.describe Formatter do
end
end
+ context 'contains unsafe URL (XSS attack, visible part)' do
+ let(:text) { %q{http://example.com/bb} }
+
+ it 'has escaped HTML' do
+ is_expected.to include '<del>b</del>'
+ end
+ end
+
+ context 'contains unsafe URL (XSS attack, invisible part)' do
+ let(:text) { %q{http://example.com/blahblahblahblah/a} }
+
+ it 'has escaped HTML' do
+ is_expected.to include '<script>alert("Hello")</script>'
+ end
+ end
+
context 'contains HTML (script tag)' do
let(:text) { '' }