FIX: Allow sanitized-HTML in GH issues and categories oneboxes. (disc…

…ourse#25374)

Follow-up to discourse@d783579

Related meta topic: https://meta.discourse.org/t/html-is-not-render-on-category-onebox-description/289424:

lib/onebox/engine/github_issue_onebox.rb

@@ -40,7 +40,10 @@ def data
         body, excerpt = compute_body(raw["body"])
         ulink = URI(link)
 
-        labels = raw["labels"].map { |l| { name: Emoji.codes_to_img(CGI.escapeHTML(l["name"])) } }
+        labels =
+          raw["labels"].map do |l|
+            { name: Emoji.codes_to_img(Onebox::Helpers.sanitize(l["name"])) }
+          end
 
         {
           link: @url,

lib/onebox/templates/discourse_category_onebox.mustache

@@ -12,7 +12,7 @@
     {{#description}}
       <div>
         <span class="description">
-          <p>{{description}}</p>
+          <p>{{{description}}}</p>
         </span>
       </div>
     {{/description}}

lib/oneboxer.rb

@@ -486,7 +486,7 @@ def self.local_category_html(url, route)
         name: category.name,
         color: category.color,
         logo_url: category.uploaded_logo&.url,
-        description: category.description,
+        description: Onebox::Helpers.sanitize(category.description),
         has_subcategories: category.subcategories.present?,
         subcategories:
           category.subcategories.collect { |sc| { name: sc.name, color: sc.color, url: sc.url } },

spec/lib/onebox/engine/github_issue_onebox_spec.rb

@@ -16,7 +16,7 @@
   describe "#to_html" do
     it "sanitizes the input and transform the emoji into an img tag" do
       sanitized_label =
-        'Test <img src="/images/emoji/twitter/+1.png?v=12" title="+1" class="emoji" alt="+1" loading="lazy" width="20" height="20"> &lt;style&gt;body {display: none}&lt;/style&gt;'
+        'Test <img src="/images/emoji/twitter/+1.png?v=12" title="+1" class="emoji" alt="+1" loading="lazy" width="20" height="20">'
 
       expect(html).to include(sanitized_label)
     end