Fixed #2437 - square brackets are deleted in links

lib/html_sanitizer.rb

@@ -401,7 +401,6 @@ cleanup html string:
                                    .delete("\t\n\r\u0000")
                                    .gsub(%r{/\*.*?\*/}, '')
                                    .gsub(/<!--.*?-->/, '')
-                                   .gsub(/\[.+?\]/, '')
 
     sanitize_attachment_disposition(cleaned_string)
   end

spec/lib/html_sanitizer_spec.rb

@@ -194,6 +194,13 @@ RSpec.describe HtmlSanitizer do
           .to match(HtmlSanitizer::UNPROCESSABLE_HTML_MSG)
       end
     end
+
+    context 'with href links that contain square brackets' do
+      it 'correctly URL encodes them' do
+        expect(HtmlSanitizer.strict(+'<a href="https://example.com/?foo=bar&baz[x]=y">example</a>', true))
+          .to eq('<a href="https://example.com/?foo=bar&amp;baz%5Bx%5D=y" rel="nofollow noreferrer noopener" target="_blank" title="https://example.com/?foo=bar&amp;baz[x]=y">example</a>')
+      end
+    end
   end
 
   describe '.cleanup' do

test/unit/html_sanitizer_test.rb

@@ -69,8 +69,8 @@ tt  p://6 6.000146.0x7.147/">XSS</A>', true), '<a href="htt%20%20p://6%206.00014
     assert_equal(HtmlSanitizer.strict('<object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></object>'), '')
     assert_equal(HtmlSanitizer.strict('<embed src="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="></embed>'), '')
     assert_equal(HtmlSanitizer.strict('<img[a][b]src=x[d]onerror[c]=[e]"alert(1)">'), '<img>')
-    assert_equal(HtmlSanitizer.strict('<a href="[a]java[b]script[c]:alert(1)">XXX</a>'), 'XXX')
+    assert_equal(HtmlSanitizer.strict('<a href="[a]java[b]script[c]:alert(1)">XXX</a>'), '<a href="%5Ba%5Djava%5Bb%5Dscript%5Bc%5D:alert(1)">XXX</a>')
-    assert_equal(HtmlSanitizer.strict('<a href="[a]java[b]script[c]:alert(1)">XXX</a>', true), 'XXX')
+    assert_equal(HtmlSanitizer.strict('<a href="[a]java[b]script[c]:alert(1)">XXX</a>', true), '<a href="http://%5Ba%5Djava%5Bb%5Dscript%5Bc%5D:alert(1)" rel="nofollow noreferrer noopener" target="_blank" title="http://%5Ba%5Djava%5Bb%5Dscript%5Bc%5D:alert(1)">XXX</a>')
     assert_equal(HtmlSanitizer.strict('<svg xmlns="http://www.w3.org/2000/svg"><script>alert(1)</script></svg>'), 'alert(1)')
     assert_equal(HtmlSanitizer.strict('<a style="position:fixed;top:0;left:0;width: 260px;height:100vh;background-color:red;display: block;" href="http://example.com"></a>'), '<a href="http://example.com" rel="nofollow noreferrer noopener" target="_blank" title="http://example.com"></a>')
     assert_equal(HtmlSanitizer.strict('<a style="position:fixed;top:0;left:0;width: 260px;height:100vh;background-color:red;display: block;" href="http://example.com"></a>', true), '<a href="http://example.com" rel="nofollow noreferrer noopener" target="_blank" title="http://example.com"></a>')