Revert "Merge branch 'onebox-safety' of git://github.com/tms/discourse"

This reverts commit 7ca57db97a, reversing
changes made to b7e027cfd1.
This commit is contained in:
Robin Ward 2013-02-19 14:22:13 -05:00
parent d05706f774
commit ba238f92c2
12 changed files with 88 additions and 125 deletions

View File

@ -36,14 +36,12 @@ module Oneboxer
if page_html.present? if page_html.present?
doc = Nokogiri::HTML(page_html) doc = Nokogiri::HTML(page_html)
if Whitelist.oembed_allowed?(url) # See if if it has an oembed thing we can use
# See if if it has an oembed thing we can use (doc/"link[@type='application/json+oembed']").each do |oembed|
(doc/"link[@type='application/json+oembed']").each do |oembed| return OembedOnebox.new(oembed[:href]).onebox
return OembedOnebox.new(oembed[:href]).onebox end
end (doc/"link[@type='text/json+oembed']").each do |oembed|
(doc/"link[@type='text/json+oembed']").each do |oembed| return OembedOnebox.new(oembed[:href]).onebox
return OembedOnebox.new(oembed[:href]).onebox
end
end end
# Check for opengraph # Check for opengraph

View File

@ -3,7 +3,7 @@ require_dependency 'oneboxer/oembed_onebox'
module Oneboxer module Oneboxer
class ClikthroughOnebox < OembedOnebox class ClikthroughOnebox < OembedOnebox
matcher /^https?:\/\/(?:www\.)?clikthrough\.com\/theater\/video\/\d+$/ matcher /clikthrough\.com\/theater\/video\/\d+$/
def oembed_endpoint def oembed_endpoint
"http://clikthrough.com/services/oembed?url=#{BaseOnebox.uriencode(@url)}" "http://clikthrough.com/services/oembed?url=#{BaseOnebox.uriencode(@url)}"

View File

@ -3,7 +3,7 @@ require_dependency 'oneboxer/oembed_onebox'
module Oneboxer module Oneboxer
class DailymotionOnebox < OembedOnebox class DailymotionOnebox < OembedOnebox
matcher /^https?:\/\/(?:www\.)?dailymotion\.com\/.+$/ matcher /dailymotion\.com\/.+$/
def oembed_endpoint def oembed_endpoint
"http://www.dailymotion.com/api/oembed/?url=#{BaseOnebox.uriencode(@url)}" "http://www.dailymotion.com/api/oembed/?url=#{BaseOnebox.uriencode(@url)}"

View File

@ -3,7 +3,7 @@ require_dependency 'oneboxer/oembed_onebox'
module Oneboxer module Oneboxer
class DotsubOnebox < OembedOnebox class DotsubOnebox < OembedOnebox
matcher /^https?:\/\/(?:www\.)?dotsub\.com\/.+$/ matcher /dotsub\.com\/.+$/
def oembed_endpoint def oembed_endpoint
"http://dotsub.com/services/oembed?url=#{BaseOnebox.uriencode(@url)}" "http://dotsub.com/services/oembed?url=#{BaseOnebox.uriencode(@url)}"

View File

@ -3,7 +3,7 @@ require_dependency 'oneboxer/handlebars_onebox'
module Oneboxer module Oneboxer
class GithubBlobOnebox < HandlebarsOnebox class GithubBlobOnebox < HandlebarsOnebox
matcher /^https?:\/\/(?:www\.)?github\.com\/[^\/]+\/[^\/]+\/blob\/.*/ matcher /github\.com\/[^\/]+\/[^\/]+\/blob\/.*/
favicon 'github.png' favicon 'github.png'
def translate_url def translate_url

View File

@ -3,7 +3,7 @@ require_dependency 'oneboxer/oembed_onebox'
module Oneboxer module Oneboxer
class KinomapOnebox < OembedOnebox class KinomapOnebox < OembedOnebox
matcher /^https?:\/\/(?:www\.)?kinomap\.com/ matcher /kinomap\.com/
def oembed_endpoint def oembed_endpoint
"http://www.kinomap.com/oembed?url=#{BaseOnebox.uriencode(@url)}&format=json" "http://www.kinomap.com/oembed?url=#{BaseOnebox.uriencode(@url)}&format=json"

View File

@ -3,7 +3,7 @@ require_dependency 'oneboxer/oembed_onebox'
module Oneboxer module Oneboxer
class NfbOnebox < OembedOnebox class NfbOnebox < OembedOnebox
matcher /^https?:\/\/(?:www\.)?nfb\.ca\/film\/[-\w]+\/?/ matcher /nfb\.ca\/film\/[-\w]+\/?/
def oembed_endpoint def oembed_endpoint
"http://www.nfb.ca/remote/services/oembed/?url=#{BaseOnebox.uriencode(@url)}&format=json" "http://www.nfb.ca/remote/services/oembed/?url=#{BaseOnebox.uriencode(@url)}&format=json"

View File

@ -20,7 +20,6 @@ module Oneboxer
@opts[:original_url] = @url @opts[:original_url] = @url
@opts[:text] = @opts['description'] @opts[:text] = @opts['description']
@opts[:unsafe] = true
begin begin
parsed = URI.parse(@url) parsed = URI.parse(@url)

View File

@ -12,12 +12,7 @@
{{#image}}<img src="{{image}}" class="thumbnail">{{/image}} {{#image}}<img src="{{image}}" class="thumbnail">{{/image}}
<h3><a href="{{original_url}}" target="_blank">{{title}}</a></h3> <h3><a href="{{original_url}}" target="_blank">{{title}}</a></h3>
{{#by_info}}<h4>{{by_info}}</h4>{{/by_info}} {{#by_info}}<h4>{{by_info}}</h4>{{/by_info}}
{{#unsafe}} {{{text}}}
{{text}}
{{/unsafe}}
{{^unsafe}}
{{{text}}}
{{/unsafe}}
</div> </div>
<div class='clearfix'></div> <div class='clearfix'></div>
</div> </div>

View File

@ -3,7 +3,7 @@ require_dependency 'oneboxer/oembed_onebox'
module Oneboxer module Oneboxer
class ViddlerOnebox < OembedOnebox class ViddlerOnebox < OembedOnebox
matcher /^https?:\/\/(?:www\.)?viddler\.com\/.+$/ matcher /viddler\.com\/.+$/
def oembed_endpoint def oembed_endpoint
"http://lab.viddler.com/services/oembed/?url=#{BaseOnebox.uriencode(@url)}" "http://lab.viddler.com/services/oembed/?url=#{BaseOnebox.uriencode(@url)}"

View File

@ -2,113 +2,84 @@ module Oneboxer
module Whitelist module Whitelist
def self.entries def self.entries
[ [/cnn\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?cnn\.com\/.+/), /washingtonpost\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?washingtonpost\.com\/.+/), /\/\d{4}\/\d{2}\/\d{2}\//, # wordpress
Entry.new(/^https?:\/\/(?:www\.)?funnyordie\.com\/.+/), /funnyordie\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?youtube\.com\/.+/), /youtube\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?youtu\.be\/.+/), /youtu\.be\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?500px\.com\/.+/), /500px\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?scribd\.com\/.+/), /scribd\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?photobucket\.com\/.+/), /photobucket\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?ebay\.(com|ca|co\.uk)\/.+/), /ebay\.(com|ca|co\.uk)\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?nytimes\.com\/.+/), /nytimes\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?pinterest\.com\/.+/), /tumblr\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?imdb\.com\/.+/), /pinterest\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?bbc\.co\.uk\/.+/), /imdb\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?ask\.com\/.+/), /bbc\.co\.uk\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?huffingtonpost\.com\/.+/), /ask\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?aol\.(com|ca)\/.+/), /huffingtonpost\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?espn\.go\.com\/.+/), /aol\.(com|ca)\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?about\.com\/.+/), /espn\.go\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?cnet\.com\/.+/), /about\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?ehow\.com\/.+/), /cnet\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?dailymail\.co\.uk\/.+/), /ehow\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?indiatimes\.com\/.+/), /dailymail\.co\.uk\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?answers\.com\/.+/), /indiatimes\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?instagr\.am\/.+/), /answers\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?battle\.net\/.+/), /instagr\.am\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?sourceforge\.net\/.+/), /battle\.net\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?myspace\.com\/.+/), /sourceforge\.net\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?wikia\.com\/.+/), /myspace\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?etsy\.com\/.+/), /wikia\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?walmart\.com\/.+/), /etsy\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?reference\.com\/.+/), /walmart\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?yelp\.com\/.+/), /reference\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?foxnews\.com\/.+/), /yelp\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?guardian\.co\.uk\/.+/), /foxnews\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?digg\.com\/.+/), /guardian\.co\.uk\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?squidoo\.com\/.+/), /digg\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?wsj\.com\/.+/), /squidoo\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?archive\.org\/.+/), /wsj\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?nba\.com\/.+/), /archive\.org\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?samsung\.com\/.+/), /nba\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?mashable\.com\/.+/), /samsung\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?forbes\.com\/.+/), /mashable\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?soundcloud\.com\/.+/), /forbes\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?thefreedictionary\.com\/.+/), /soundcloud\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?groupon\.com\/.+/), /thefreedictionary\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?ikea\.com\/.+/), /groupon\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?dell\.com\/.+/), /ikea\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?mlb\.com\/.+/), /dell\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?bestbuy\.(com|ca)\/.+/), /mlb\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?bloomberg\.com\/.+/), /bestbuy\.(com|ca)\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?ign\.com\/.+/), /bloomberg\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?twitpic\.com\/.+/), /ign\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?techcrunch\.com\/.+/), /twitpic\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?usatoday\.com\/.+/), /techcrunch\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?go\.com\/.+/), /usatoday\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?businessinsider\.com\/.+/), /go\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?zillow\.com\/.+/), /businessinsider\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?tmz\.com\/.+/), /zillow\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?thesun\.co\.uk\/.+/), /tmz\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?thestar\.(com|ca)\/.+/), /thesun\.co\.uk\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?theglobeandmail\.com\/.+/), /thestar\.(com|ca)\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?torontosun\.com\/.+/), /theglobeandmail\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?kickstarter\.com\/.+/), /torontosun\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?wired\.com\/.+/), /kickstarter\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?time\.com\/.+/), /wired\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?npr\.org\/.+/), /time\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?cracked\.com\/.+/), /npr\.org\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?deadline\.com\/.+/), /cracked\.com\/.+/,
Entry.new(/^https?:\/\/(?:www\.)?tumblr\.com\/.+/, false), /deadline\.com\/.+/
Entry.new(/\/\d{4}\/\d{2}\/\d{2}\//, false), # wordpress ]
]
end end
def self.allowed?(url) def self.allowed?(url)
!match(url).nil? #return true
end entries.each {|e| return true if url =~ e }
def self.oembed_allowed?(url)
unless (e = match(url)).nil?
return e.allows_oembed?
end
false false
end end
private
def self.match(url)
entries.each {|e| return e if e.matches?(url) }
nil
end
class Entry
# oembed = false is probably safer, but this is the least-drastic change
def initialize(pattern, oembed = true)
@pattern = pattern
@oembed = oembed
end
def allows_oembed?
@oembed
end
def matches?(url)
url =~ @pattern
end
end
end end

View File

@ -3,7 +3,7 @@ require_dependency 'oneboxer/oembed_onebox'
module Oneboxer module Oneboxer
class YfrogOnebox < OembedOnebox class YfrogOnebox < OembedOnebox
matcher /^https?:\/\/(?:www\.)?yfrog\.(com|ru|com\.tr|it|fr|co\.il|co\.uk|com\.pl|pl|eu|us)\/[a-zA-Z0-9]+/ matcher /yfrog\.(com|ru|com\.tr|it|fr|co\.il|co\.uk|com\.pl|pl|eu|us)\/[a-zA-Z0-9]+/
def oembed_endpoint def oembed_endpoint
"http://www.yfrog.com/api/oembed/?url=#{BaseOnebox.uriencode(@url)}&format=json" "http://www.yfrog.com/api/oembed/?url=#{BaseOnebox.uriencode(@url)}&format=json"