From c54a8a1238f3df5c375e5fa5cb4c8084f2b60ff4 Mon Sep 17 00:00:00 2001
From: Andrew Kvalheim <Andrew@Kvalhe.im>
Date: Fri, 3 Mar 2023 16:50:20 -0800
Subject: [PATCH 1/2] Add tests of HTML sanitization

---
 spec/helpers/format_helper_spec.rb | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/spec/helpers/format_helper_spec.rb b/spec/helpers/format_helper_spec.rb
index 4e64eb94b7..31adf10710 100644
--- a/spec/helpers/format_helper_spec.rb
+++ b/spec/helpers/format_helper_spec.rb
@@ -16,5 +16,13 @@
     it 'should return HTML for header markdown' do
       expect(markdown('# this is my header')).to eq "<h1>this is my header</h1>\n"
     end
+
+    it 'escapes input HTML' do
+      expect(markdown('<em>*a*</em>')).to eq "<p>&lt;em&gt;<em>a</em>&lt;/em&gt;</p>\n"
+    end
+
+    it 'removes unallowed elements' do
+      expect(markdown('<em>*<style>a</style>*</em>', false)).to eq "<p><em><em>a</em></em></p>\n"
+    end
   end
 end

From 80d7ac545c132d469711a0a027041d0f04a781ca Mon Sep 17 00:00:00 2001
From: Andrew Kvalheim <Andrew@Kvalhe.im>
Date: Fri, 3 Mar 2023 16:51:01 -0800
Subject: [PATCH 2/2] Set nofollow on links in Markdown content

To disincentivize spamdexing, links in user-generated content should be
disavowed by annotation with `rel="nofollow"` attributes:

  - https://en.wikipedia.org/wiki/Nofollow

Automated spam has already targeted OSEM in the wild:

  - https://github.com/SeaGL/organization/issues/274

Ideally link annotation would be performed during Markdown rendering or
a single sanitization pass, but this is currently an unresolved issue:

  - https://github.com/vmg/redcarpet/issues/720
---
 app/helpers/format_helper.rb       | 2 +-
 spec/helpers/format_helper_spec.rb | 5 +++++
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/app/helpers/format_helper.rb b/app/helpers/format_helper.rb
index 26014f8981..152ac239a7 100644
--- a/app/helpers/format_helper.rb
+++ b/app/helpers/format_helper.rb
@@ -202,7 +202,7 @@ def markdown(text, escape_html=true)
       safe_links_only: true
     }
     markdown = Redcarpet::Markdown.new(Redcarpet::Render::HTML.new(render_options), markdown_options)
-    sanitize(markdown.render(text))
+    sanitize(sanitize(markdown.render(text)), scrubber: Loofah::Scrubbers::NoFollow.new)
   end
 
   def markdown_hint(text='')
diff --git a/spec/helpers/format_helper_spec.rb b/spec/helpers/format_helper_spec.rb
index 31adf10710..e4190d0912 100644
--- a/spec/helpers/format_helper_spec.rb
+++ b/spec/helpers/format_helper_spec.rb
@@ -24,5 +24,10 @@
     it 'removes unallowed elements' do
       expect(markdown('<em>*<style>a</style>*</em>', false)).to eq "<p><em><em>a</em></em></p>\n"
     end
+
+    it 'sets nofollow on links' do
+      expect(markdown('[a](https://example.com/)'))
+        .to eq "<p><a href=\"https://example.com/\" rel=\"nofollow\">a</a></p>\n"
+    end
   end
 end