This code returns insecure content, and I think that's very counter-intuitive:
auto_link("<script>alert('malicious')</script> www.rubyonrails.org", :sanitize => true)
I propose to avoid the vulnerability this commit from @tenderlove fixed: 61ee344 and at the same time give a better use to the existent (but not documented) :sanitize option.
It should not return an html_safe string when when :sanitize => false is given, right? Can you add a test for that?
:sanitize => false
Add test to auto_link to return not html_safe strings when :sanitize …
You are right, test added.
auto_link has removed on master. I think that this issue can be closed
Closing. Pull request moved to the new rails_autolink repository.