Do not allow images in comments

publify_core/app/models/feedback.rb

@@ -67,6 +67,10 @@ def self.paginated(page, per_page)
     page(page).per(per_page)
   end
 
+  def self.allowed_tags
+    @allowed_tags ||= Rails::Html::SafeListSanitizer.allowed_tags - ["img"]
+  end
+
   def parent
     article
   end
@@ -86,7 +90,7 @@ def permalink_url(_anchor = :ignored, only_path = false)
 
   def html_postprocess(_field, html)
     helper = ContentTextHelpers.new
-    helper.sanitize(helper.auto_link(html))
+    helper.sanitize(helper.auto_link(html), tags: self.class.allowed_tags)
   end
 
   def correct_url

publify_core/spec/models/comment_spec.rb

@@ -268,6 +268,29 @@ def valid_comment(options = {})
       end
     end
 
+    context "with a comment containing some html" do
+      let(:comment) do
+        described_class.new do |c|
+          c.body = "Test <b>foo</b> <img src=\"https://eviloverlord.com/getmyip.jpg\">"
+          c.author = "Bob"
+          c.article = build_stubbed(:article, blog: blog)
+        end
+      end
+
+      ["", "textile", "markdown", "smartypants", "markdown smartypants"].each do |filter|
+        it "rejects images but not formatting with filter '#{filter}'" do
+          blog.comment_text_filter = filter
+
+          html = comment.html(:body)
+
+          ActiveSupport::Deprecation.silence do
+            expect(html).not_to match(/<img/)
+            expect(html).to match(%r{<b>foo</b>})
+          end
+        end
+      end
+    end
+
     context "with a markdown comment with italic and bold" do
       let(:comment) { build(:comment, body: "Comment body _italic_ **bold**") }
       let(:blog) { comment.article.blog }