Configure brakeman to ignore url safe preview card urls (mastodon#25883)

app/helpers/formatting_helper.rb

@@ -9,6 +9,10 @@ def linkify(text, options = {})
     TextFormatter.new(text, options).to_s
   end
 
+  def url_for_preview_card(preview_card)
+    preview_card.url
+  end
+
   def extract_status_plain_text(status)
     PlainTextFormatter.new(status.text, status.local?).to_s
   end

app/views/admin/trends/links/_preview_card.html.haml

@@ -4,7 +4,7 @@
 
   .batch-table__row__content.pending-account
     .pending-account__header
-      = link_to preview_card.title, preview_card.url
+      = link_to preview_card.title, url_for_preview_card(preview_card)
 
       %br/
 

config/brakeman.yml

@@ -1,3 +1,5 @@
 ---
 :skip_checks:
   - CheckPermitAttributes
+:url_safe_methods:
+  - url_for_preview_card

spec/views/admin/trends/links/_preview_card.html.haml_spec.rb

@@ -0,0 +1,20 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe 'admin/trends/links/_preview_card.html.haml' do
+  it 'correctly escapes user supplied url values' do
+    form = instance_double(ActionView::Helpers::FormHelper, check_box: nil)
+    trend = PreviewCardTrend.new(allowed: false)
+    preview_card = Fabricate.build(
+      :preview_card,
+      url: 'https://host.example/path?query=<script>',
+      trend: trend,
+      title: 'Fun'
+    )
+
+    render partial: 'admin/trends/links/preview_card', locals: { preview_card: preview_card, f: form }
+
+    expect(rendered).to include('<a href="https://host.example/path?query=&lt;script&gt;">Fun</a>')
+  end
+end