diff --git a/publify_core/app/models/feedback.rb b/publify_core/app/models/feedback.rb
index 7bd363d1ae..e4b9d775d3 100644
--- a/publify_core/app/models/feedback.rb
+++ b/publify_core/app/models/feedback.rb
@@ -67,6 +67,10 @@ def self.paginated(page, per_page)
page(page).per(per_page)
end
+ def self.allowed_tags
+ @allowed_tags ||= Rails::Html::SafeListSanitizer.allowed_tags - ["img"]
+ end
+
def parent
article
end
@@ -86,7 +90,7 @@ def permalink_url(_anchor = :ignored, only_path = false)
def html_postprocess(_field, html)
helper = ContentTextHelpers.new
- helper.sanitize(helper.auto_link(html))
+ helper.sanitize(helper.auto_link(html), tags: self.class.allowed_tags)
end
def correct_url
diff --git a/publify_core/spec/models/comment_spec.rb b/publify_core/spec/models/comment_spec.rb
index 2c6e3117d2..48890f2db3 100644
--- a/publify_core/spec/models/comment_spec.rb
+++ b/publify_core/spec/models/comment_spec.rb
@@ -268,6 +268,29 @@ def valid_comment(options = {})
end
end
+ context "with a comment containing some html" do
+ let(:comment) do
+ described_class.new do |c|
+ c.body = "Test foo "
+ c.author = "Bob"
+ c.article = build_stubbed(:article, blog: blog)
+ end
+ end
+
+ ["", "textile", "markdown", "smartypants", "markdown smartypants"].each do |filter|
+ it "rejects images but not formatting with filter '#{filter}'" do
+ blog.comment_text_filter = filter
+
+ html = comment.html(:body)
+
+ ActiveSupport::Deprecation.silence do
+ expect(html).not_to match(/foo})
+ end
+ end
+ end
+ end
+
context "with a markdown comment with italic and bold" do
let(:comment) { build(:comment, body: "Comment body _italic_ **bold**") }
let(:blog) { comment.article.blog }