FIX: Latest onebox adds more attributes to links for security

2025-06-06 03:06:53 +08:00 · 2017-05-12 15:49:20 -04:00
parent dd0c34c4b9
commit 1fb08d24d9
1 changed files with 11 additions and 7 deletions
--- a/spec/components/onebox/engine/discourse_local_onebox_spec.rb
+++ b/spec/components/onebox/engine/discourse_local_onebox_spec.rb
@ -4,25 +4,29 @@ describe Onebox::Engine::DiscourseLocalOnebox do
  before { SiteSetting.external_system_avatars_enabled = false }
  def build_link(url)
    %|<a href="#{url}" target="_blank" rel="nofollow noopener">#{url}</a>|
  end
  context "for a link to a post" do
    let(:post)  { Fabricate(:post) }
    let(:post2) { Fabricate(:post, topic: post.topic, post_number: 2) }
    it "returns a link if post isn't found" do
      url = "#{Discourse.base_url}/t/not-exist/3/2"
-      expect(Onebox.preview(url).to_s).to eq(%|<a href="#{url}">#{url}</a>|)
+      expect(Onebox.preview(url).to_s).to eq(build_link(url))
    end
    it "returns a link if not allowed to see the post" do
      url = "#{Discourse.base_url}#{post2.url}"
      Guardian.any_instance.expects(:can_see_post?).returns(false)
-      expect(Onebox.preview(url).to_s).to eq(%|<a href="#{url}">#{url}</a>|)
+      expect(Onebox.preview(url).to_s).to eq(build_link(url))
    end
    it "returns a link if post is hidden" do
      hidden_post = Fabricate(:post, topic: post.topic, post_number: 2, hidden: true, hidden_reason_id: Post.hidden_reasons[:flag_threshold_reached])
      url = "#{Discourse.base_url}#{hidden_post.url}"
-      expect(Onebox.preview(url).to_s).to eq(%|<a href="#{url}">#{url}</a>|)
+      expect(Onebox.preview(url).to_s).to eq(build_link(url))
    end
    it "returns some onebox goodness if post exists and can be seen" do
@ -43,13 +47,13 @@ describe Onebox::Engine::DiscourseLocalOnebox do
    it "returns a link if topic isn't found" do
      url = "#{Discourse.base_url}/t/not-found/123"
-      expect(Onebox.preview(url).to_s).to eq(%|<a href="#{url}">#{url}</a>|)
+      expect(Onebox.preview(url).to_s).to eq(build_link(url))
    end
    it "returns a link if not allowed to see the topic" do
      url = topic.url
      Guardian.any_instance.expects(:can_see_topic?).returns(false)
-      expect(Onebox.preview(url).to_s).to eq(%|<a href="#{url}">#{url}</a>|)
+      expect(Onebox.preview(url).to_s).to eq(build_link(url))
    end
    it "replaces emoji in the title" do
@ -80,13 +84,13 @@ describe Onebox::Engine::DiscourseLocalOnebox do
      html = Onebox.preview(url).to_s
      # </source> will be removed by the browser
      # need to fix https://github.com/rubys/nokogumbo/issues/14
-      expect(html).to eq(%|<audio controls=""><source src="#{url}"></source><a href="#{url}">#{url}</a></audio>|)
+      expect(html).to eq(%|<audio controls=""><source src="#{url}"></source>#{build_link(url)}</audio>|)
    end
    it "returns some onebox goodness for video file" do
      url = "#{Discourse.base_url}#{path}.mov"
      html = Onebox.preview(url).to_s
-      expect(html).to eq(%|<video width="100%" height="100%" controls=""><source src="#{url}"></source><a href="#{url}">#{url}</a></video>|)
+      expect(html).to eq(%|<video width="100%" height="100%" controls=""><source src="#{url}"></source>#{build_link(url)}</video>|)
    end
  end