Arpit Jalan
52c8cab7f2
FIX: bypass finaldestination check for Vimeo links.
2019-11-27 14:00:46 +05:30
Sam Saffron
0fb497eb23
DEV: use Discourse.cache over Rails.cache
...
Discourse.cache is a more consistent method to use and offers clean fallback
if you are skipping redis
This is part of a larger change that both optimizes Discoruse.cache and omits
use of setex on $redis in favor of consistently using discourse cache
Bench does reveal that use of Rails.cache and Discourse.cache is 1.25x slower
than redis.setex / get so a re-implementation will follow prior to porting
2019-11-27 12:36:19 +11:00
Penar Musaraj
102909edb3
FEATURE: Add support for secure media ( #7888 )
...
This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access.
A few notes:
- the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads
- the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured
- upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status
- when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error
- when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 11:25:42 +10:00
Arpit Jalan
6a417c308f
FIX: include onebox default options in development environment
2019-11-07 15:42:53 +05:30
Arpit Jalan
00c406520e
FEATURE: allow FinalDestination to use custom user agent for specific hosts
2019-11-07 14:47:51 +05:30
Arpit Jalan
72bc0f82b9
FIX: no need to pass `cache` option in onebox
2019-11-04 10:59:28 +05:30
Penar Musaraj
f8b72d9835
DEV: Refactor excluding audio/video URLs from search result blurbs
...
Followup to 580a4a82
2019-10-31 09:13:24 -04:00
Nacho Caballero
d5121e5ddb
FIX: Add common HTML5 media extensions to onebox audio and video tags ( #8216 )
2019-10-21 12:10:40 -04:00
Krzysztof Kotlarek
427d54b2b0
DEV: Upgrading Discourse to Zeitwerk ( #8098 )
...
Zeitwerk simplifies working with dependencies in dev and makes it easier reloading class chains.
We no longer need to use Rails "require_dependency" anywhere and instead can just use standard
Ruby patterns to require files.
This is a far reaching change and we expect some followups here.
2019-10-02 14:01:53 +10:00
Penar Musaraj
3debdc8131
SECURITY: XSS when oneboxing user profile location field
...
The XSS here is only possible if CSP is disabled. Low impact since CSP is enabled by default in SiteSettings.
2019-09-17 16:12:50 -04:00
Sam Saffron
30990006a9
DEV: enable frozen string literal on all files
...
This reduces chances of errors where consumers of strings mutate inputs
and reduces memory usage of the app.
Test suite passes now, but there may be some stuff left, so we will run
a few sites on a branch prior to merging
2019-05-13 09:31:32 +08:00
Tim Lange
5a9dd923cc
FIX: Onebox discourse user not respecting enable names ( #7245 )
2019-03-25 12:50:14 +05:30
Arpit Jalan
e5fd018f44
DEV: assign constant to `preserve_fragment_url_hosts`
2018-12-19 17:37:39 +05:30
Arpit Jalan
1ab91f0474
FIX: preserve github fragment URL
2018-12-19 12:34:47 +05:30
Guo Xiang Tan
a1e77aa2ed
FEATURE: Reimplement `SiteSetting.max_oneboxes_per_post`. ( #6668 )
...
Previously, the site setting was only effective on the client side of
things. Once the site setting was been reached, all oneboxes are not
rendered. This commit changes it such that the site setting is respected
both on the client and server side. The first N oneboxes are rendered and
once the limit has been reached, subsequent oneboxes will not be
rendered.
2018-11-27 16:00:31 +08:00
Bianca Nenciu
4e0533a20b
FIX: Generate Onebox for posts of type moderator_action. ( #6466 )
2018-10-10 18:39:03 +08:00
Arpit Jalan
fadcd36f92
FIX: do not treat ignore_redirects domains as blacklisted
...
This fix prevents domains present in `ignore_redirects` to be treated as
blacklisted domains and makes sure that onboxing happens for those domains.
Issue reported here: https://meta.discourse.org/t/steam-store-oneboxing-no-longer-works/97266
2018-09-18 10:38:02 +05:30
Bianca Nenciu
b6963b8ffb
FIX: Ignore OneBox blacklisted domains.
2018-08-27 20:40:55 +02:00
Guo Xiang Tan
ad5082d969
Make rubocop happy again.
2018-06-07 13:28:18 +08:00
Régis Hanol
3c8b43bb01
FIX: non-oneboxed links on separate lines should stay on separate lines
2018-04-11 21:33:45 +02:00
Vinoth Kannan
58bb3967e5
SECURITY: Oneboxer should escape the URL before processing
2018-03-15 19:57:55 +05:30
Régis Hanol
3be0294465
FIX: local post onebox was always pointing to 1st post
2018-02-26 16:05:35 +01:00
Régis Hanol
7d7f6faf40
FIX: properly render emojis in local oneboxes
2018-02-26 11:16:53 +01:00
Régis Hanol
0799831dbe
FIX: use the avatar of the post rather than the topic in local oneboxes
2018-02-20 19:49:39 +01:00
Régis Hanol
60ec483caa
FIX: include title in local onebox when linking to a different topic
2018-02-19 22:40:14 +01:00
Régis Hanol
93b1829f04
tiny refactor
2018-02-16 11:21:11 +01:00
Sam
cda3f72ab8
SECURITY: don't onebox whispers
2018-02-16 08:57:20 +11:00
Sam
57e140dc07
FIX: oneboxing to private messages
2018-02-16 08:00:22 +11:00
Régis Hanol
8e0da35857
FIX: allow local oneboxes to public topics/posts in PM
2018-02-15 18:14:41 +01:00
Sam
f028ffaf29
SECURITY: correct local onebox category checks
...
Also removes ugly "source_topic_id" from cooked posts
Patch was authored by @zogstrip
Signed-off-by: Sam <sam.saffron@gmail.com>
2018-02-14 10:40:46 +11:00
Régis Hanol
8e55400392
FIX: add 'SiteSetting.port' to 'Onebox.allowed_ports' in development mode
2017-12-18 18:31:41 +01:00
Joffrey JAFFEUX
6cd8203686
FIX: allows onebox to force GET hosts returning wrong headers on HEAD
2017-08-08 11:44:27 +02:00
Guo Xiang Tan
5012d46cbd
Add rubocop to our build. ( #5004 )
2017-07-28 10:20:09 +09:00
Blake Erickson
6fc5ece628
FIX: onebox for dropbox video links not working
...
add dropbox to the list of ignore redirects for onebox links
2017-07-26 14:37:54 -06:00
Régis Hanol
9e03fae26c
FIX: internal oneboxing wasn't working when login was required
2017-07-17 17:33:10 +02:00
Robin Ward
db485ae0da
FIX: Support for skipping redirects on certain domains (like steam)
2017-06-26 15:38:43 -04:00
Robin Ward
0de5d01d79
FIX: Onebox wasn't using correct uri
2017-06-06 16:39:15 -04:00
Robin Ward
369bb78f8e
FIX: Support for cookies in onebox redirects
2017-06-06 15:02:11 -04:00
Robin Ward
4c690f7089
Use `FinalDestination` to ensure public redirects for onebox
2017-05-22 16:42:49 -04:00
David McClure
b188c30925
FIX: Import scripts were failing to load onebox sanitize config
2017-02-25 09:27:42 -08:00
Régis Hanol
ba115480ba
FIX: wasn't extracting links to quoted posts
2017-02-06 14:45:04 +01:00
Guo Xiang Tan
d10fe51b72
Fix broken specs since all urls will be oneboxed.
2017-01-06 10:05:51 +08:00
Régis Hanol
b12b2b1911
change onebox preview key for me consistency
2016-12-20 11:18:47 +01:00
Régis Hanol
52cd9972bb
FIX: prevent DDoS with lots of _oneboxable_ links
...
FIX: ensure the onebox route is only allowed to logged in users
FIX: only allow 1 outgoing onebox preview per user
FIX: client should only do 1 preview at a time
2016-12-20 00:31:10 +01:00
Régis Hanol
a655e4b092
ensure we allow self oneboxing of login required sites
2016-11-03 22:48:32 +01:00
Régis Hanol
08d53b32ca
let's try loading onebox engines this way
2016-10-25 01:25:44 +02:00
Régis Hanol
3841cd9a7f
FEATURE: onebox everything by default
...
FEATURE: new 'max_oneboxes_per_post' site setting
FEATURE: change onebox whitelist to a blacklist
PERF: debounce the loading of oneboxes
PERF: improve perf of mention links in preview
FIX: sort loading of custom oneboxer
2016-10-24 12:46:22 +02:00
Robin Ward
0396b14b70
FEATURE: New "First Onebox" badge
2016-04-12 15:31:14 -04:00
Arpit Jalan
f38abbe279
FIX: onebox links should respect nofollow settings
2015-12-04 01:59:12 +05:30
Sam
57870b970d
correct hack and move to oneboxer
2015-09-25 20:14:53 +10:00
Sam
18a8853181
FIX: don't crash out searching for parent in oneboxer
2015-09-22 12:42:13 +10:00
Sam
88a5a676a7
lower error level on onebox failures
2015-08-24 10:43:07 +10:00
riking
5657006aca
Rename handle_exception to handle_job_exception
2015-02-09 12:47:46 -08:00
riking
d90404e830
Change 'code' to 'message'
2014-07-17 15:19:58 -07:00
Robin Ward
fc20332c0f
Lift all oneboxes out of `<p>` tags.
2014-07-04 16:09:51 -04:00
Robin Ward
7bb33c28c2
Add new `max_width` feature for oneboxes. Allows vimeo oneboxes to not
...
look like total garbage.
2014-06-05 13:18:18 -04:00
Sam
0bc3525b10
BUGFIX: more robust onebox implementation
2014-05-28 17:15:10 +10:00
Robin Ward
b0405d7cfa
Adds a Site Setting to whitelist onebox domains
2014-04-09 16:57:45 -04:00
Sam
239bcd19df
BUGFIX: protect ourselved against rogue onebox gem
2014-04-01 15:29:14 +11:00
Sam
00a46253ae
BUGFIX: Don't resolve oneboxes when cooking
...
Defer to post save job
2014-03-18 15:22:53 +11:00
Robin Ward
cd7ef6b49a
Revert "FIX: Bunch of Onebox issues"
...
This reverts commit ccbe671e4a
.
2014-02-25 13:35:08 -05:00
Robin Ward
ccbe671e4a
FIX: Bunch of Onebox issues
2014-02-25 13:29:05 -05:00
Neil Lalonde
d343e9f360
Add DiscourseLocalOnebox
2014-01-29 14:14:07 -05:00
Robin Ward
e453bfa073
Work in progress: Swap out onebox code for onebox gem
2014-01-29 14:14:07 -05:00
Neil Lalonde
86647f0a54
Add ScreenedUrl. Rename BlockedEmail to ScreenedEmail.
2013-08-14 16:08:23 -04:00
Sam
e4a76812a6
this is a slightly round about way of making our self oneboxes sane
...
shrunk avatar to 60px, added global whitelisting
2013-05-01 16:38:13 +10:00
Sam Saffron
94a578e4b2
ignore assets
...
fix runner so it works on mac
get rid of some test warnings
2013-04-30 12:43:59 +10:00
Sam
33e3ad1603
clean up onebox application so it uses a single code path
...
use fragments for oneboxes
strip parent <p> if <div> is in it
clean some tests
2013-04-10 17:52:38 +10:00
Robin Ward
ee5213be5f
Fixes regression with video embeds
2013-03-21 20:53:12 -04:00
Robin Ward
babcfe6234
Cache oneboxes in Redis now instead of postgres.
2013-03-21 13:11:54 -04:00
Robin Ward
9d4ecd7ef8
Oneboxes should use a sorted array for ordering, not a hash.
2013-03-21 11:47:01 -04:00
Robin Ward
1221c393a3
Merge branch 'whitespace-cleanese' of git://github.com/goshakkk/discourse
...
Conflicts:
lib/oneboxer.rb
lib/oneboxer/whitelist.rb
spec/controllers/robots_txt_controller_spec.rb
2013-02-26 10:42:49 -05:00
Gosha Arinich
cafc75b238
remove trailing whitespaces ❤️
2013-02-26 07:31:35 +03:00
tms
2e230d2661
Be more selective about when we allow oembed discovery
2013-02-25 20:48:17 -05:00
Robin Ward
ba238f92c2
Revert "Merge branch 'onebox-safety' of git://github.com/tms/discourse"
...
This reverts commit 7ca57db97a
, reversing
changes made to b7e027cfd1
.
2013-02-19 14:22:13 -05:00
tms
6d06420583
Be more selective about when we allow oembed discovery
2013-02-19 11:46:36 -05:00
tms
702fbcdfa8
Oneboxes shouldn't explode when the remote causes an HTTPError
2013-02-17 04:10:17 -05:00
Jaime Iniesta
6995e75d41
Replace Hpricot with Nokogiri
2013-02-14 11:35:50 +01:00
Sam Saffron
0f88947279
fix onebox for your own site
2013-02-06 16:22:11 +11:00
Robin Ward
21b5628528
Initial release of Discourse
2013-02-05 14:16:51 -05:00