From 1f5740e65cc50ef3cc1feb7c0e5609df73d4173a Mon Sep 17 00:00:00 2001
From: Neil Matatall <448516+oreoshake@users.noreply.github.com>
Date: Thu, 15 Dec 2022 05:39:41 -1000
Subject: [PATCH] Use Rails tag API to build RSS feed for spoilers and polls
 (#20163)

* Use Rails tag API to build RSS feed for spoilers and polls

While the previous method did not contain a bug or a potential issue,
the tag API can be very resilient against future problems and reduces the
amount of manual management of the escape status of the content.

I've added tests to ensure that the formatting is broken and still
escapes control characters correctly.

* this seems cleaner and passes

* Incorporate feedback by moving the br to its own line and using the tag helper over the string constant for the br tag itself

* whoops, tag helper doesn't use a self-closing tag
---
 app/helpers/formatting_helper.rb       | 25 +++++++++++++++++--------
 spec/helpers/formatting_helper_spec.rb | 24 ++++++++++++++++++++++++
 2 files changed, 41 insertions(+), 8 deletions(-)
 create mode 100644 spec/helpers/formatting_helper_spec.rb

diff --git a/app/helpers/formatting_helper.rb b/app/helpers/formatting_helper.rb
index a9d2f9651..c70931489 100644
--- a/app/helpers/formatting_helper.rb
+++ b/app/helpers/formatting_helper.rb
@@ -23,19 +23,28 @@ module FormattingHelper
 
     before_html = begin
       if status.spoiler_text?
-        "<p><strong>#{I18n.t('rss.content_warning', locale: available_locale_or_nil(status.language) || I18n.default_locale)}</strong> #{h(status.spoiler_text)}</p><hr />"
-      else
-        ''
+        tag.p do
+          tag.strong do
+            I18n.t('rss.content_warning', locale: available_locale_or_nil(status.language) || I18n.default_locale)
+          end
+
+          status.spoiler_text
+        end + tag.hr
       end
-    end.html_safe # rubocop:disable Rails/OutputSafety
+    end
 
     after_html = begin
       if status.preloadable_poll
-        "<p>#{status.preloadable_poll.options.map { |o| "<input type=#{status.preloadable_poll.multiple? ? 'checkbox' : 'radio'} disabled /> #{h(o)}" }.join('<br />')}</p>"
-      else
-        ''
+        tag.p do
+          safe_join(
+            status.preloadable_poll.options.map do |o|
+              tag.send(status.preloadable_poll.multiple? ? 'checkbox' : 'radio', o, disabled: true)
+            end,
+            tag.br
+          )
+        end
       end
-    end.html_safe # rubocop:disable Rails/OutputSafety
+    end
 
     prerender_custom_emojis(
       safe_join([before_html, html, after_html]),
diff --git a/spec/helpers/formatting_helper_spec.rb b/spec/helpers/formatting_helper_spec.rb
new file mode 100644
index 000000000..af604a87b
--- /dev/null
+++ b/spec/helpers/formatting_helper_spec.rb
@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe FormattingHelper, type: :helper do
+  include Devise::Test::ControllerHelpers
+
+  describe '#rss_status_content_format' do
+    let(:status) { Fabricate(:status, text: 'Hello world<>', spoiler_text: 'This is a spoiler<>', poll: Fabricate(:poll, options: %w(Yes<> No))) }
+    let(:html) { helper.rss_status_content_format(status) }
+
+    it 'renders the spoiler text' do
+      expect(html).to include('<p>This is a spoiler&lt;&gt;</p><hr>')
+    end
+
+    it 'renders the status text' do
+      expect(html).to include('<p>Hello world&lt;&gt;</p>')
+    end
+
+    it 'renders the poll' do
+      expect(html).to include('<radio disabled="disabled">Yes&lt;&gt;</radio><br>')
+    end
+  end
+end