From 89d308c9ee75b813517860ef338657facf8ec8e5 Mon Sep 17 00:00:00 2001
From: Henne Vogelsang <hvogel@opensuse.org>
Date: Wed, 20 Nov 2024 12:20:25 +0100
Subject: [PATCH] Sanitize markdown output

Also: fold mdpreview into enrich_markdown
---
 app/helpers/markdown_helper.rb                 | 9 ++++-----
 app/views/about/index.html.haml                | 2 +-
 app/views/projects/_list_item.html.haml        | 2 +-
 app/views/projects/_similar_projects.html.haml | 2 +-
 app/views/projects/_tile.html.haml             | 2 +-
 5 files changed, 8 insertions(+), 9 deletions(-)

diff --git a/app/helpers/markdown_helper.rb b/app/helpers/markdown_helper.rb
index a81529e7..c9b7b5be 100644
--- a/app/helpers/markdown_helper.rb
+++ b/app/helpers/markdown_helper.rb
@@ -1,9 +1,8 @@
 module MarkdownHelper
-  def mdpreview(markdown_source, lines: 3)
-    markdown_source.lines[0..lines - 1].join
-  end
+  def enrich_markdown(markdown:, lines: nil)
+    # build an excerpt
+    markdown = markdown.lines[0..lines - 1].join if lines
 
-  def enrich_markdown(markdown:)
     # replace :smiley: with a link to github.com emojis
     markdown.gsub!(/(?<=^|\s):([\w+-]+):(?=\s|$)/) do |match|
       %(![add-emoji](https://github.githubassets.com/images/icons/emoji/#{match.to_str.tr(':', '')}.png))
@@ -17,6 +16,6 @@ def enrich_markdown(markdown:)
       "#{Regexp.last_match(1)}[hw##{Regexp.last_match(2)}](#{::Rails.application.routes.url_helpers(only_path: true).project_path(Regexp.last_match(2))})#{Regexp.last_match(3)}"
     end
 
-    markdown
+    sanitize(markdown)
   end
 end
diff --git a/app/views/about/index.html.haml b/app/views/about/index.html.haml
index 93f2936e..b9a1bc39 100644
--- a/app/views/about/index.html.haml
+++ b/app/views/about/index.html.haml
@@ -81,7 +81,7 @@
             = project.title
         .md-preview
           :markdown
-            #{mdpreview(project.description, lines: 2)}
+            #{enrich_markdown(markdown: project.description, lines: 2)}
 
   .row
     .col-sm-12
diff --git a/app/views/projects/_list_item.html.haml b/app/views/projects/_list_item.html.haml
index 62a11649..663318c9 100644
--- a/app/views/projects/_list_item.html.haml
+++ b/app/views/projects/_list_item.html.haml
@@ -13,7 +13,7 @@
       = render :partial => "projects/like_button", :locals => {:project => project }
 .md-preview
   :markdown
-    #{mdpreview(project.description, lines: 2)}
+    #{enrich_markdown(markdown: project.description, lines: 2)}
 - unless project.users.empty?
   .well.well-sm
     - project.users.each do |user|
diff --git a/app/views/projects/_similar_projects.html.haml b/app/views/projects/_similar_projects.html.haml
index 1c6030ca..8076d13c 100644
--- a/app/views/projects/_similar_projects.html.haml
+++ b/app/views/projects/_similar_projects.html.haml
@@ -16,5 +16,5 @@
               = link_to(project.originator.name, user_path(project.originator))
             %p
               :markdown
-                #{truncate(project.description, length: 50)}
+                #{enrich_markdown(markdown: project.description, lines: 50)}
             %hr
diff --git a/app/views/projects/_tile.html.haml b/app/views/projects/_tile.html.haml
index e75b62d2..485ab37e 100644
--- a/app/views/projects/_tile.html.haml
+++ b/app/views/projects/_tile.html.haml
@@ -6,7 +6,7 @@
         = render :partial => "projects/like_button", :locals => {:project => project }
   .panel-body
     :markdown
-      #{truncate(project.description, length: 140)}
+      #{enrich_markdown(markdown: project.description, lines: 140)}
     .user-list{:style=>"padding-top: 10px;"}
       - if project.users.empty?
         .alert.alert-warning