FIX: escape Vimeo iframe URL

This commit is contained in:
Arpit Jalan 2019-05-09 21:07:55 +05:30
parent d1dbafebbc
commit 9758857a78
2 changed files with 6 additions and 1 deletions

View File

@ -376,7 +376,7 @@ module PrettyText
def self.convert_vimeo_iframes(doc) def self.convert_vimeo_iframes(doc)
doc.css("iframe[src*='player.vimeo.com']").each do |iframe| doc.css("iframe[src*='player.vimeo.com']").each do |iframe|
if iframe["data-original-href"].present? if iframe["data-original-href"].present?
vimeo_url = iframe["data-original-href"] vimeo_url = UrlHelper.escape_uri(iframe["data-original-href"])
else else
vimeo_id = iframe['src'].split('/').last vimeo_id = iframe['src'].split('/').last
vimeo_url = "https://vimeo.com/#{vimeo_id}" vimeo_url = "https://vimeo.com/#{vimeo_id}"

View File

@ -748,6 +748,11 @@ describe PrettyText do
html = "<p>Contact me at <a href=\"mailto:username@me.com\">this address</a>.</p>" html = "<p>Contact me at <a href=\"mailto:username@me.com\">this address</a>.</p>"
expect(PrettyText.format_for_email(html, post)).to eq(html) expect(PrettyText.format_for_email(html, post)).to eq(html)
end end
it "prefers data-original-href attribute to get Vimeo iframe link and escapes it" do
html = "<p>Check out this video <iframe src='https://player.vimeo.com/video/329875646' data-original-href='https://vimeo.com/329875646/> <script>alert(1)</script>'></iframe>.</p>"
expect(PrettyText.format_for_email(html, post)).to match(Regexp.escape("https://vimeo.com/329875646/%3E%20%3Cscript%3Ealert(1)%3C/script%3E"))
end
end end
it 'Is smart about linebreaks and IMG tags' do it 'Is smart about linebreaks and IMG tags' do