diff --git a/app/services/html_sanitizer.rb b/app/services/html_sanitizer.rb
index e6d81d7ecd..73660d8829 100644
--- a/app/services/html_sanitizer.rb
+++ b/app/services/html_sanitizer.rb
@@ -6,7 +6,8 @@
# We offer an editor which supports certain tags but you can't insert just any
# HTML, which would be dangerous.
class HtmlSanitizer
- ALLOWED_TAGS = %w[h1 h2 h3 h4 p br b i u a strong em del pre blockquote ul ol li hr figure].freeze
+ ALLOWED_TAGS = %w[h1 h2 h3 h4 div p br b i u a strong em del pre blockquote ul ol li hr
+ figure].freeze
ALLOWED_ATTRIBUTES = %w[href target].freeze
ALLOWED_TRIX_DATA_ATTRIBUTES = %w[data-trix-attachment].freeze
diff --git a/spec/services/html_sanitizer_spec.rb b/spec/services/html_sanitizer_spec.rb
index 090d4bd3e9..bda9eb2188 100644
--- a/spec/services/html_sanitizer_spec.rb
+++ b/spec/services/html_sanitizer_spec.rb
@@ -6,14 +6,26 @@ RSpec.describe HtmlSanitizer do
subject { described_class }
context "when HTML has supported tags" do
- it "keeps supported tags" do
- html = "Hello alert!
How are you?"
- expect(subject.sanitize(html))
- .to eq "Hello alert!
How are you?"
+ it "keeps supported regular tags" do
+ supported_tags = %w[h1 h2 h3 h4 div p b i u a strong em del pre blockquote ul ol li figure]
+ supported_tags.each do |tag|
+ html = "<#{tag}>Content"
+ sanitized_html = subject.sanitize(html)
+ expect(sanitized_html).to eq(html), "Expected '#{tag}' to be preserved."
+ end
+ end
+
+ it "keeps supported void tags" do
+ supported_tags = %w[br hr]
+ supported_tags.each do |tag|
+ html = "<#{tag}>"
+ sanitized_html = subject.sanitize(html)
+ expect(sanitized_html).to eq(html), "Expected '#{tag}' to be preserved."
+ end
end
it "handles nested tags" do
- html = ''
+ html = ''
expect(subject.sanitize(html)).to eq(html)
end
end
@@ -44,7 +56,7 @@ RSpec.describe HtmlSanitizer do
expect(subject.sanitize(html)).to eq ""
end
- it "removes link tags" do
+ it "removes base tags" do
html = ""
expect(subject.sanitize(html)).to eq ""
end