SECURITY: sanitize html tags in imgur album title

SECURITY: sanitize html tags in imgur album title

diff --git a/lib/onebox/engine/imgur_onebox.rb b/lib/onebox/engine/imgur_onebox.rb
index bcc0b43..d087243 100644
--- a/lib/onebox/engine/imgur_onebox.rb
+++ b/lib/onebox/engine/imgur_onebox.rb
@@ -31,7 +31,7 @@ module Onebox
       def album_html(og)
         escaped_url = ::Onebox::Helpers.normalize_url_for_output(url)
         escaped_src = ::Onebox::Helpers.normalize_url_for_output(get_secure_link(og[:image]))
-        album_title = "[Album] #{Onebox::Helpers.truncate(og[:title].strip, 80)}"
+        album_title = "[Album] #{Onebox::Helpers.sanitize(og[:title], 80)}"
 
         <<-HTML
             <div class='onebox imgur-album'>
diff --git a/lib/onebox/helpers.rb b/lib/onebox/helpers.rb
index a6e03a0..f515e84 100644
--- a/lib/onebox/helpers.rb
+++ b/lib/onebox/helpers.rb
@@ -173,7 +173,17 @@ module Onebox
     end
 
     def self.title_attr(meta)
-      (meta && !blank?(meta[:title])) ? "title='#{CGI::escapeHTML(meta[:title])}'" : ""
+      title = get(meta, :title)
+      !title.nil? ? "title='#{title}'" : ""
+    end
+
+    def self.get(meta, attr)
+      (meta && !blank?(meta[attr])) ? sanitize(meta[attr]) : nil
+    end
+
+    def self.sanitize(value, length = 50)
+      return nil if blank?(value)
+      truncate(Sanitize.fragment(value).strip, length)
     end
 
     def self.normalize_url_for_output(url)
diff --git a/spec/fixtures/imgur.response b/spec/fixtures/imgur.response
new file mode 100644
index 0000000..c2484aa
--- /dev/null
+++ b/spec/fixtures/imgur.response
@@ -0,0 +1,836 @@
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
+<head>
+    <link href="https://fonts.googleapis.com/css?family=Open+Sans:300,300i,400,400i,600,600i,700,700i,800,800i" rel="stylesheet">
+    <title>                        
+        
+    
+
+    Did you &lt;b&gt;miss me&lt;/b&gt;? - Album on Imgur</title>
+    <meta http-equiv="content-type" content="text/html;charset=utf-8" />
+    <meta name="viewport" content="width=1138">
+                        <meta name="robots" content="follow, index" />
+        
+    
+    <meta name="keywords" content="images, photos, gif, gifs, memes, pictures, new pictures, reaction gifs, share photos, share images, latest images, funny, cute, visual storytelling, imgur" />
+        
+    
+
+    
+
+            <meta name="description" content="Post with 7 votes and 151 views. Shared by vinothkannans. Did you &lt;b&gt;miss me&lt;/b&gt;?" />
+    
+    <meta name="copyright" content="Copyright 2019 Imgur, Inc." />
+    <meta http-equiv="X-UA-Compatible" content="IE=Edge;" />
+    
+    <link rel="icon" type="image/png" href="//s.imgur.com/images/favicon-32x32.png" sizes="32x32">
+    <link rel="icon" type="image/png" href="//s.imgur.com/images/favicon-96x96.png" sizes="96x96">
+    <link rel="icon" type="image/png" href="//s.imgur.com/images/favicon-16x16.png" sizes="16x16">
+    <link rel="apple-touch-icon-precomposed" href="//s.imgur.com/images/favicon-152.png">
+    <meta name="msapplication-TileColor" content="#2cd63c">
+    <meta name="msapplication-TileImage" content="//s.imgur.com/images/favicon-144.png">
+            <link rel="stylesheet" type="text/css" href="//s.imgur.com/min/global.css?1549926701" />
+
+    
+        <link rel="stylesheet" type="text/css" href="//s.imgur.com/min/gallery.css?1549926701" />
+
+
+            <link rel="alternate" type="application/json+oembed" href="https://api.imgur.com/oembed.json?url=https://imgur.com/gallery/Sdc0Klc" title="Did you &lt;b&gt;miss me&lt;/b&gt;? - Album on Imgur" />
+        <link rel="alternate" type="application/xml+oembed" href="https://api.imgur.com/oembed.xml?url=https://imgur.com/gallery/Sdc0Klc" title="Did you &lt;b&gt;miss me&lt;/b&gt;? - Album on Imgur" />
+    
+            <!--[if IE 9]><link rel="stylesheet" href="//imgur.com/include/css/ie-sucks.css?0" type="text/css" /><![endif]-->
+    
+                <link rel="canonical" href="https://imgur.com/gallery/Sdc0Klc" />
+                    <meta property="og:url" content="https://i.imgur.com/j1CNCZY.gif?noredirect" />
+        
+    
+                <link rel="alternate" media="only screen and (max-width: 640px)" href="https://m.imgur.com/gallery/Sdc0Klc">
+    
+    <meta name="p:domain_verify" content="834554521765408b9effdc758b69c5ee"/>
+    <meta property="og:site_name" content="Imgur" />
+    <meta property="fb:admins" content="12331492" />
+    <meta property="fb:admins" content="12301369" />
+    <meta property="fb:app_id" content="127621437303857" />
+    <meta property="al:android:url" content="imgur://imgur.com/gallery/Sdc0Klc?from=fbreferral" />
+    <meta property="al:android:app_name" content="Imgur" />
+    <meta property="al:android:package" content="com.imgur.mobile" />
+    <meta property="al:ios:url" content="imgur://imgur.com/gallery/Sdc0Klc?from=fbreferral" />
+    <meta property="al:ios:app_store_id" content="639881495" />
+    <meta property="al:ios:app_name" content="Imgur" />
+    <meta property="al:web:url" content="https://imgur.com/gallery/Sdc0Klc" />
+    <meta name="twitter:site" content="@imgur" />
+    <meta name="twitter:domain" content="imgur.com" />
+    <meta name="twitter:app:id:googleplay" content="com.imgur.mobile" />
+                <meta name="twitter:title" content="Did you &lt;b&gt;miss me&lt;/b&gt;?"/>
+        <meta property="og:title" content="Did you &lt;b&gt;miss me&lt;/b&gt;?"/>
+    
+
+    <meta property="author" content="Imgur" />
+    <meta property="article:author" content="Imgur" />
+    <meta property="article:publisher" content="https://www.facebook.com/imgur">
+
+            <meta property="article:tag" content="" />
+    
+
+            <meta property="og:type" content="video.other" />
+
+                    <meta property="og:image"             content="https://i.imgur.com/j1CNCZY.gif?noredirect" />
+            <meta property="og:image:width"       content="507" />
+            <meta property="og:image:height"      content="250" />
+        
+
+        <meta name="twitter:card"                       content="player" />
+        <meta name="twitter:image"                      content="https://i.imgur.com/j1CNCZYh.jpg" />
+        <meta name="twitter:player"                     content="https://i.imgur.com/j1CNCZY.gifv?twitter#t" />
+        <meta name="twitter:player:width"               content="507" />
+        <meta name="twitter:player:height"              content="250" />
+        <meta name="twitter:player:stream"              content="https://i.imgur.com/j1CNCZY.mp4" />
+        <meta name="twitter:player:stream:content_type" content="video/mp4">
+    
+
+    
+
+    
+    <script type="application/ld+json">
+        {
+            "@context": "http://schema.org",
+            "@type": "WebSite",
+            "url": "https://imgur.com",
+            "name": "Imgur",
+            "potentialAction": {
+                "@type": "SearchAction",
+                "target": "https://imgur.com/search?q={search_term_string}",
+                "query-input": "required name=search_term_string"
+            }
+        }
+    </script>
+    
+    <!-- Google Tag Manager -->
+<script>
+    (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
+            new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
+        j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
+        '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
+    })(window,document,'script','dataLayer','GTM-M6N38SF');</script>
+<!-- End Google Tag Manager -->
+
+    <!--[if lte IE 8]><script type="text/javascript" src="//s.imgur.com/min/iepoly.js?1549926701"></script>
+<![endif]-->
+          <script>
+      (function() {
+          document.write('<div id="vmv3-ad-manager" style="display:none"></div>');

[... diff too long, it was truncated ...]

GitHub sha: 57bfe32b