Use the correct escape method. (#141)

app/operations/render_liquid.rb

@@ -11,6 +11,8 @@ class RenderLiquid
   send(:include, FamilyHelper)
   send(:include, Dry::Monads[:result, :do])
 
+  include ActionView::Helpers::TagHelper
+
   # @param [String] :body
   # @param [String] :subject MPI indicator for a given notice
   # @param [Array<Dry::Struct>] :entities
@@ -36,7 +38,7 @@ def sanitize_values(entity_hash)
 
     result = entity_hash.deep_stringify_keys
     result.deep_transform_values do |value|
-      value.is_a?(String) ? ActionController::Base.helpers.sanitize(value) : value
+      value.is_a?(String) ? escape_once(value) : value
     end
   end
 

spec/operations/documents/create_spec.rb

@@ -197,7 +197,7 @@
         # we are sanitizing scripts on template creation so we cannot now
         # convered the same test in template spec
         expect(sanitized_template).to include('http://thiswillneverload')
-        expect(sanitized_template).not_to include('onerror')
+        expect(sanitized_template).not_to include('<img')
         expect(sanitized_template).to include('<style>')
       end
     end

spec/operations/render_liquid_spec.rb

@@ -3,6 +3,7 @@
 require "rails_helper"
 
 describe RenderLiquid, "asked to sanitize some values" do
+  include ActionView::Helpers::TagHelper
 
   let(:now) { DateTime.now }
   let(:bad_html_value) { "<img src=http://0ab3iy52xv954qnfzsa9zn9tfklc98xx.bc.nhbrsec.com>" }
@@ -21,12 +22,14 @@
     }
   end
 
+  let(:escaped_value) { escape_once(bad_html_value) }
+
   let(:operation) { RenderLiquid.new }
 
   subject { operation.send(:sanitize_values, entity_hash) }
 
   it "sanitizes the html" do
-    expect(subject["yet_another"][0]["more_complex"][1]).not_to include(bad_html_value)
+    expect(subject["yet_another"][0]["more_complex"][1]).to eq(escaped_value)
   end
 
   it "does not alter the numeric value" do