rename url helper and enhance url to escape html

app/helpers/url_helper.rb

@@ -1,7 +1,7 @@
 module UrlHelper
-  def prepend_https(url)
+  def display_safe_url(url)
     return "" if url.blank?
-    return url if url.start_with?("https://")
-    "https://#{url}"
+    return h(url) if url.start_with?("https://") ||  url.start_with?("http://")
+    return "https://#{h(url)}"
   end
 end

app/views/dashboards/_subject.html.erb

@@ -26,10 +26,10 @@
       <%= icon_tag("link", color: :primary, class: "w-6 text-orange mr-3") %>
       <p class="text-neutral-800 dark:text-white"><%=
         link_to(
-          truncate(prepend_https(user.homepage_url), length: 20),
-          h(prepend_https(user.homepage_url)),
+          truncate(display_safe_url(user.homepage_url), length: 20),
+          display_safe_url(user.homepage_url),
           rel: "nofollow",
-          data: { confirm: "You are about to be redirected #{h(prepend_https(user.homepage_url))}" }
+          data: { confirm: "You are about to be redirected #{display_safe_url(user.homepage_url)}" }
         )
       %></p>
     </div>

app/views/profiles/show.html.erb

@@ -98,11 +98,11 @@
           <p id="homepage-url">
             <%=
                link_to(
-                truncate(h(prepend_https(@user.homepage_url)),length: 20),
-                h(prepend_https(@user.homepage_url)),
+                truncate(display_safe_url(@user.homepage_url),length: 20),
+                display_safe_url(@user.homepage_url),
                 rel: "nofollow",
                 class: "profile__header__attribute t-link--black",
-                data: { confirm: "You are about to be redirected #{h(prepend_https(@user.homepage_url))} " }
+                data: { confirm: "You are about to be redirected #{display_safe_url(@user.homepage_url)} " }
               )
             %>
           </p>

test/unit/helpers/url_helper_test.rb

@@ -1,20 +1,33 @@
 require "test_helper"
 
 class UrlHelperTest < ActionView::TestCase
-  context "prepend_https" do
+  include ERB::Util
+  context "display_safe_url" do
     should "return url if it begins with https" do
-      assert_equal "https://www.awesomesite.com", prepend_https("https://www.awesomesite.com")
+      assert_equal "https://www.awesomesite.com", display_safe_url("https://www.awesomesite.com")
     end
     should "return empty string if url is empty" do
-      assert_equal "", prepend_https("")
+      assert_equal "", display_safe_url("")
+    end
+
+    should "display a url starting with http" do
+      assert_equal "http://www.awesomesite.com", display_safe_url("http://www.awesomesite.com")
     end
 
     should "return link with https if it does not begin with https" do
-      assert_equal "https://javascript:alert('hello');", prepend_https("javascript:alert('hello');")
+      assert_equal "https://javascript:alert(&#39;hello&#39;);", display_safe_url("javascript:alert('hello');")
     end
 
+    should "escape html" do 
+      assert_equal "https://&lt;script&gt;alert(&#39;hello&#39;);&lt;/script&gt;https://www", display_safe_url("<script>alert('hello');</script>https://www")
+    end 
+
+    should "prepend https if url does not begin with http or https" do 
+      assert_equal "https://www.awesomesite.com/https://javascript:alert(&#39;hello&#39;);", display_safe_url("www.awesomesite.com/https://javascript:alert('hello');")
+    end 
+
     should "return empty string if url is nil" do
-      assert_equal "", prepend_https(nil)
+      assert_equal "", display_safe_url(nil)
     end
   end
 end