Sanitize markdown output

We were using the markdown renderer with the `filter_html` option set to
false, so we weren't removing hypothetical `<script>` tags.

app/helpers/application_helper.rb

@@ -32,7 +32,8 @@ module ApplicationHelper
       strikethrough:      true,
       superscript:        true
     }
-    Redcarpet::Markdown.new(renderer, extensions).render(text).html_safe
+
+    sanitize(Redcarpet::Markdown.new(renderer, extensions).render(text))
   end
 
   def author_of?(authorable, user)

app/views/legislation/draft_versions/show.html.erb

@@ -49,7 +49,7 @@
 
         <div data-sticky-container>
           <div data-sticky data-anchor="sticky-panel" class="draft-index sticky" data-tree-navigator>
-            <%= @draft_version.toc_html.html_safe %>
+            <%= sanitize(@draft_version.toc_html) %>
           </div>
         </div>
       </div>
@@ -66,7 +66,7 @@
                    data-legislation-annotatable-base-url="<%= legislation_process_draft_version_path(@process, @draft_version) %>"
                    data-legislation-open-phase="<%= @process.allegations_phase.open? %>">
           <% end %>
-            <%= @draft_version.body_html.html_safe %>
+            <%= sanitize(@draft_version.body_html) %>
           </section>
         </div>
       </div>

spec/features/xss_spec.rb

@@ -78,4 +78,12 @@ describe "Cross-Site Scripting protection", :js do
 
     expect(page.text).not_to be_empty
   end
+
+  scenario "markdown conversion" do
+    process = create(:legislation_process, description: attack_code)
+
+    visit legislation_process_path(process)
+
+    expect(page.text).not_to be_empty
+  end
 end