discourse/config
David Taylor 5238f6788c
FEATURE: Allow hotlinked media to be blocked (#16940)
This commit introduces a new site setting: `block_hotlinked_media`. When enabled, all attempts to hotlink media (images, videos, and audio) will fail, and be replaced with a linked placeholder. Exceptions to the rule can be added via `block_hotlinked_media_exceptions`.

`download_remote_image_to_local` can be used alongside this feature. In that case, hotlinked images will be blocked immediately when the post is created, but will then be replaced with the downloaded version a few seconds later.

This implementation is purely server-side, and does not impact the composer preview.

Technically, there are two stages to this feature:

1. `PrettyText.sanitize_hotlinked_media` is called during `PrettyText.cook`, and whenever new images are introduced by Onebox. It will iterate over all src/srcset attributes in the post HTML and check if they're allowed. If not, the attributes will be removed and replaced with a `data-blocked-hotlinked-src(set)` attribute

2. In the `CookedPostProcessor`, we iterate over all `data-blocked-hotlinked-src(set)` attributes and check whether we have a downloaded version of the media. If yes, we update the src to use the downloaded version. If not, the entire media element is replaced with a placeholder. The placeholder is labelled 'external media', and is a link to the offsite media.
2022-06-07 15:23:04 +01:00
..
cloud/cloud66 DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
environments DEV: Allow all subdomains of localhost in development (#17018) 2022-06-06 16:02:51 -05:00
initializers DEV: Use new defaults for ActiveSupport::Digest 2022-05-18 16:51:07 +02:00
locales FEATURE: Allow hotlinked media to be blocked (#16940) 2022-06-07 15:23:04 +01:00
application.rb DEV: Apply Rails 6.1 defaults 2022-05-24 17:13:44 +02:00
boot.rb DEV: Fix methods removed in Ruby 3.2 (#15459) 2022-01-05 18:45:08 +01:00
cdn.yml.sample
database.yml remove some hardcoded 'localhost's from dev environment (#14801) 2021-11-03 11:26:44 +08:00
deploy.rb.sample
dev_defaults.yml DEV: Fix typos and outdated comments (#16614) 2022-05-04 14:12:18 +08:00
discourse.config.sample
discourse.pill.sample
discourse_defaults.conf DEV: Remove RTLit gem (#16620) 2022-05-04 14:11:12 +08:00
environment.rb DEV: Upgrade to Rails 7 2022-04-28 11:51:03 +02:00
logrotate.conf
multisite.yml.production-sample DEV: Remove `db_id` from sample multisite config. 2020-05-29 10:48:29 +08:00
nginx.global.conf
nginx.sample.conf FEATURE: Optimize images before upload (#13432) 2021-06-23 12:31:12 -03:00
projections.json DEV: Use .hbr for raw template file extension (#8883) 2020-02-11 13:38:12 -06:00
puma.rb remove daemonize setting (#12232) 2021-03-01 16:42:50 +11:00
routes.rb FEATURE: user status (#16875) 2022-05-27 13:15:14 +04:00
sidekiq.yml FEATURE: introduce ultra_low priority queue 2019-01-17 14:53:19 +11:00
site_settings.yml FEATURE: Allow hotlinked media to be blocked (#16940) 2022-06-07 15:23:04 +01:00
spring.rb DEV: enable frozen string literal on all files 2019-05-13 09:31:32 +08:00
thin.yml.sample
unicorn.conf.rb DEV: Avoid `$` globals (#15453) 2022-01-08 23:39:46 +01:00
unicorn_launcher FIX: Increase timeout when trying to reload unicorn. 2018-12-04 13:43:14 +08:00
unicorn_upstart.conf