Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: Latest onebox adds more attributes to links for security

This commit is contained in:
Robin Ward 2017-05-12 15:49:20 -04:00
parent dd0c34c4b9
commit 1fb08d24d9
1 changed files with 11 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
spec/components/onebox/engine/discourse_local_onebox_spec.rb
View File

@ -4,25 +4,29 @@ describe Onebox::Engine::DiscourseLocalOnebox do
before { SiteSetting.external_system_avatars_enabled = false }
def build_link(url)
%|<a href="#{url}" target="_blank" rel="nofollow noopener">#{url}</a>|
end
context "for a link to a post" do
let(:post) { Fabricate(:post) }
let(:post2) { Fabricate(:post, topic: post.topic, post_number: 2) }
it "returns a link if post isn't found" do
url = "#{Discourse.base_url}/t/not-exist/3/2"
expect(Onebox.preview(url).to_s).to eq(%|<a href="#{url}">#{url}</a>|)
expect(Onebox.preview(url).to_s).to eq(build_link(url))
end
it "returns a link if not allowed to see the post" do
url = "#{Discourse.base_url}#{post2.url}"
Guardian.any_instance.expects(:can_see_post?).returns(false)
expect(Onebox.preview(url).to_s).to eq(%|<a href="#{url}">#{url}</a>|)
expect(Onebox.preview(url).to_s).to eq(build_link(url))
end
it "returns a link if post is hidden" do
hidden_post = Fabricate(:post, topic: post.topic, post_number: 2, hidden: true, hidden_reason_id: Post.hidden_reasons[:flag_threshold_reached])
url = "#{Discourse.base_url}#{hidden_post.url}"
expect(Onebox.preview(url).to_s).to eq(%|<a href="#{url}">#{url}</a>|)
expect(Onebox.preview(url).to_s).to eq(build_link(url))
end
it "returns some onebox goodness if post exists and can be seen" do
@ -43,13 +47,13 @@ describe Onebox::Engine::DiscourseLocalOnebox do
it "returns a link if topic isn't found" do
url = "#{Discourse.base_url}/t/not-found/123"
expect(Onebox.preview(url).to_s).to eq(%|<a href="#{url}">#{url}</a>|)
expect(Onebox.preview(url).to_s).to eq(build_link(url))
end
it "returns a link if not allowed to see the topic" do
url = topic.url
Guardian.any_instance.expects(:can_see_topic?).returns(false)
expect(Onebox.preview(url).to_s).to eq(%|<a href="#{url}">#{url}</a>|)
expect(Onebox.preview(url).to_s).to eq(build_link(url))
end
it "replaces emoji in the title" do
@ -80,13 +84,13 @@ describe Onebox::Engine::DiscourseLocalOnebox do
html = Onebox.preview(url).to_s
# </source> will be removed by the browser
# need to fix https://github.com/rubys/nokogumbo/issues/14
expect(html).to eq(%|<audio controls=""><source src="#{url}"></source><a href="#{url}">#{url}</a></audio>|)
expect(html).to eq(%|<audio controls=""><source src="#{url}"></source>#{build_link(url)}</audio>|)
end
it "returns some onebox goodness for video file" do
url = "#{Discourse.base_url}#{path}.mov"
html = Onebox.preview(url).to_s
expect(html).to eq(%|<video width="100%" height="100%" controls=""><source src="#{url}"></source><a href="#{url}">#{url}</a></video>|)
expect(html).to eq(%|<video width="100%" height="100%" controls=""><source src="#{url}"></source>#{build_link(url)}</video>|)
end
end