Configure brakeman to ignore url safe preview card urls

These values are validated on the way to being saved, and html escaped
by Rails in the views.

The inclusion of the helper method here is a bit of a workaround to give
brakeman a method name to ignore.

app/helpers/formatting_helper.rb

@@ -9,6 +9,10 @@ def linkify(text, options = {})
     TextFormatter.new(text, options).to_s
   end
 
+  def url_for_preview_card(preview_card)
+    preview_card.url
+  end
+
   def extract_status_plain_text(status)
     PlainTextFormatter.new(status.text, status.local?).to_s
   end

app/views/admin/trends/links/_preview_card.html.haml

@@ -4,7 +4,7 @@
 
   .batch-table__row__content.pending-account
     .pending-account__header
-      = link_to preview_card.title, preview_card.url
+      = link_to preview_card.title, url_for_preview_card(preview_card)
 
       %br/
 

config/brakeman.yml

@@ -1,3 +1,5 @@
 ---
 :skip_checks:
   - CheckPermitAttributes
+:url_safe_methods:
+  - url_for_preview_card

spec/views/admin/trends/links/_preview_card.html.haml_spec.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe 'admin/trends/links/_preview_card.html.haml' do
+  it 'correctly escapes user supplied url values' do
+    form = instance_double(ActionView::Helpers::FormHelper, check_box: nil)
+    trend = PreviewCardTrend.new(allowed: false)
+    preview_card = Fabricate.build(
+      :preview_card,
+      url: 'https://host.example/path?query=<script>',
+      trend: trend,
+      title: 'Fun'
+    )
+
+    render partial: 'admin/trends/links/preview_card', locals: { preview_card: preview_card, f: form }
+
+    expect(rendered).to include('<a href="https://host.example/path?query=&lt;script&gt;">Fun</a>')
+  end
+end