FIX: escape Vimeo iframe URL

2019-05-09 21:07:55 +05:30 · 2019-05-09 21:07:55 +05:30 · 9758857a78
parent d1dbafebbc
commit 9758857a78
2 changed files with 6 additions and 1 deletions
--- a/lib/pretty_text.rb
+++ b/lib/pretty_text.rb
@ -376,7 +376,7 @@ module PrettyText
  def self.convert_vimeo_iframes(doc)
    doc.css("iframe[src*='player.vimeo.com']").each do |iframe|
      if iframe["data-original-href"].present?
-        vimeo_url = iframe["data-original-href"]
+        vimeo_url = UrlHelper.escape_uri(iframe["data-original-href"])
      else
        vimeo_id = iframe['src'].split('/').last
        vimeo_url = "https://vimeo.com/#{vimeo_id}"
--- a/spec/components/pretty_text_spec.rb
+++ b/spec/components/pretty_text_spec.rb
@ -748,6 +748,11 @@ describe PrettyText do
      html = "<p>Contact me at <a href=\"mailto:username@me.com\">this address</a>.</p>"
      expect(PrettyText.format_for_email(html, post)).to eq(html)
    end
+
+    it "prefers data-original-href attribute to get Vimeo iframe link and escapes it" do
+      html = "<p>Check out this video – <iframe src='https://player.vimeo.com/video/329875646' data-original-href='https://vimeo.com/329875646/> <script>alert(1)</script>'></iframe>.</p>"
+      expect(PrettyText.format_for_email(html, post)).to match(Regexp.escape("https://vimeo.com/329875646/%3E%20%3Cscript%3Ealert(1)%3C/script%3E"))
+    end
  end

  it 'Is smart about linebreaks and IMG tags' do