FIX: escape youtube title when constructing onebox preview html (#16999)

2022-06-08 01:42:37 -04:00 · 2022-06-08 01:42:37 -04:00 · 99b0578b4c
parent 82ac698d4f
commit 99b0578b4c
2 changed files with 7 additions and 2 deletions
--- a/lib/onebox/engine/youtube_onebox.rb
+++ b/lib/onebox/engine/youtube_onebox.rb
@ -42,7 +42,7 @@ module Onebox
          result = parse_embed_response
          result ||= get_opengraph.data

-          "<img src='#{result[:image]}' width='#{WIDTH}' height='#{HEIGHT}' title='#{result[:title]}'>"
+          "<img src='#{result[:image]}' width='#{WIDTH}' height='#{HEIGHT}' title='#{CGI::escapeHTML(result[:title])}'>"
        else
          to_html
        end
--- a/spec/lib/oneboxer_spec.rb
+++ b/spec/lib/oneboxer_spec.rb
@ -384,7 +384,7 @@ describe Oneboxer do
      <<~HTML
        <html>
        <head>
-          <meta property="og:title" content="Onebox1">
+          <meta property="og:title" content="Onebox1 - ceci n'est pas un titre">
          <meta property="og:description" content="this is bodycontent">
          <meta property="og:image" content="https://i.ytimg.com/vi/dQw4w9WgXcQ/maxresdefault.jpg">
        </head>
@ -416,6 +416,11 @@ describe Oneboxer do
      output = Oneboxer.onebox("https://www.youtube.com/watch?v=dQw4w9WgXcQ", invalidate_oneboxes: true)
      expect(output).to include("<iframe") # Regular youtube onebox
    end
+
+    it "appropriately escapes youtube titles" do
+      preview = Oneboxer.preview("https://www.youtube.com/watch?v=dQw4w9WgXcQ", invalidate_oneboxes: true)
+      expect(preview).to include("ceci n'est pas un titre")
+    end
  end

  it "allows iframes from generic sites via the allowed_iframes setting" do