Keep link when redacting unauthorized object links

1 files changed, 21 insertions, 4 deletions

diff --git a/lib/banzai/redactor.rb b/lib/banzai/redactor.rb
index 827df7c08ae..fd457bebf03 100644
--- a/lib/banzai/redactor.rb
+++ b/lib/banzai/redactor.rb
@@ -42,16 +42,33 @@ module Banzai
           next if visible.include?(node)
 
           doc_data[:visible_reference_count] -= 1
-          # The reference should be replaced by the original link's content,
-          # which is not always the same as the rendered one.
-          content = node.attr('data-original') || node.inner_html
-          node.replace(content)
+          redacted_content = redacted_node_content(node)
+          node.replace(redacted_content)
         end
       end
 
       metadata
     end
 
+    # Return redacted content of given node as either the original link (<a> tag),
+    # the original content (text), or the inner HTML of the node.
+    #
+    def redacted_node_content(node)
+      original_content = node.attr('data-original')
+      link_reference = node.attr('data-link-reference')
+
+      # Build the raw <a> tag just with a link as href and content if
+      # it's originally a link pattern. We shouldn't return a plain text href.
+      original_link =
+        if link_reference == 'true' && href = original_content
+          %(<a href="#{href}">#{href}</a>)
+        end
+
+      # The reference should be replaced by the original link's content,
+      # which is not always the same as the rendered one.
+      original_link || original_content || node.inner_html
+    end
+
     def redact_cross_project_references(documents)
       extractor = Banzai::IssuableExtractor.new(project, user)
       issuables = extractor.extract(documents)