Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: whitelist oneboxed iframes

This commit is contained in:
Régis Hanol 2017-12-23 01:56:33 +01:00
parent b74e933cfb
commit d6b22e6cc1
2 changed files with 46 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
lib/onebox/engine/whitelisted_generic_onebox.rb
View File

@ -14,6 +14,24 @@ module Onebox
Float::INFINITY Float::INFINITY
end end
private
# overwrite to whitelist iframes
def is_embedded?
return false unless data[:html] && data[:height]
return true if WhitelistedGenericOnebox.html_providers.include?(data[:provider_name])
if data[:html]["iframe"]
fragment = Nokogiri::HTML::fragment(data[:html])
if iframe = fragment.at_css("iframe")
src = iframe["src"]
return src.present? && SiteSetting.allowed_iframes.split("|").any? { |url| src.start_with?(url) }
end
end
false
end
end end
end end
end end

28
spec/components/onebox/engine/whitelisted_generic_onebox_spec.rb
View File

@ -15,4 +15,32 @@ describe Onebox::Engine::WhitelistedGenericOnebox do
end end
it "whitelists iframes" do
whitelisted_body = '<html><head><link rel="alternate" type="application/json+oembed" href="https://whitelist.ed/iframes.json" />'
blacklisted_body = '<html><head><link rel="alternate" type="application/json+oembed" href="https://blacklist.ed/iframes.json" />'
whitelisted_oembed = {
type: "rich",
height: "100",
html: "<iframe src='https://ifram.es/foo/bar'></iframe>"
}
blacklisted_oembed = {
type: "rich",
height: "100",
html: "<iframe src='https://malicious/discourse.org/'></iframe>"
}
stub_request(:get, "https://blacklist.ed/iframes").to_return(status: 200, body: blacklisted_body)
stub_request(:get, "https://blacklist.ed/iframes.json").to_return(status: 200, body: blacklisted_oembed.to_json)
stub_request(:get, "https://whitelist.ed/iframes").to_return(status: 200, body: whitelisted_body)
stub_request(:get, "https://whitelist.ed/iframes.json").to_return(status: 200, body: whitelisted_oembed.to_json)
SiteSetting.allowed_iframes = "discourse.org|https://ifram.es"
expect(Onebox.preview("https://blacklist.ed/iframes").to_s).to be_empty
expect(Onebox.preview("https://whitelist.ed/iframes").to_s).to match("iframe src")
end
end end