SECURITY: Stripping links could unescape html fragments

2025-06-04 11:11:13 +08:00 · 2014-09-17 12:08:00 -04:00
parent c16b8364ab
commit 19b4364d79
2 changed files with 5 additions and 1 deletions
--- a/lib/pretty_text.rb
+++ b/lib/pretty_text.rb
@ -250,7 +250,7 @@ module PrettyText

    # If the user is not basic, strip links from their bio
    fragment = Nokogiri::HTML.fragment(string)
-    fragment.css('a').each {|a| a.replace(a.text) }
+    fragment.css('a').each {|a| a.replace(a.inner_html) }
    fragment.to_html
  end