FIX: Apply censored words to inline onebox (#16873)

Censored watched words were not censored inside the title of an inline oneboxes. Malicious users could exploit this behaviour to insert bad words. The same issue has been fixed for regular Oneboxes in commit d184fe59ca7885741ed9f840d3209a9a5ed861ea.
2025-06-01 01:55:46 +08:00 · 2022-05-25 14:51:47 +03:00
parent 6268fe7495
commit 7328a2bfb0
3 changed files with 41 additions and 11 deletions
--- a/spec/lib/inline_oneboxer_spec.rb
+++ b/spec/lib/inline_oneboxer_spec.rb
@ -313,6 +313,24 @@ describe InlineOneboxer do
        expect(onebox[:title]).to be_blank
      end
    end
+
+    it "censors external oneboxes" do
+      Fabricate(:watched_word, action: WatchedWord.actions[:censor], word: "my")
+
+      SiteSetting.enable_inline_onebox_on_all_domains = true
+
+      stub_request(:get, "https://eviltrout.com/some-path").
+        to_return(status: 200, body: "<html><head><title>welcome to my blog</title></head></html>")
+
+      onebox = InlineOneboxer.lookup(
+        "https://eviltrout.com/some-path",
+        skip_cache: true
+      )
+
+      expect(onebox).to be_present
+      expect(onebox[:url]).to eq("https://eviltrout.com/some-path")
+      expect(onebox[:title]).to eq("welcome to ■■ blog")
+    end
  end

  context "register_local_handler" do