github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-31 01:38:10 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Prevent XSS in local oneboxes (#20008)

Browse Source 
Co-authored-by: OsamaSayegh <asooomaasoooma90@gmail.com>
This commit is contained in:
Bianca Nenciu
2023-01-25 19:17:21 +02:00
committed by GitHub
parent f55e0fe791
commit c186a46910
3 changed files with 97 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
lib/oneboxer.rb
View File

@ -343,7 +343,8 @@ module Oneboxer
end
end
html = html.presence || "<a href='#{URI(url).to_s}'>#{URI(url).to_s}</a>"
normalized_url = ::Onebox::Helpers.normalize_url_for_output(URI(url).to_s)
html = html.presence || "<a href='#{normalized_url}'>#{normalized_url}</a>"
{ onebox: html, preview: html }
end
@ -355,18 +356,28 @@ module Oneboxer
""
end
normalized_url = ::Onebox::Helpers.normalize_url_for_output(url)
case File.extname(URI(url).path || "")
when VIDEO_REGEX
<<~HTML
<div class="onebox video-onebox">
<video #{additional_controls} width="100%" height="100%" controls="">
<source src='#{url}'>
<a href='#{url}'>#{url}</a>
<source src='#{normalized_url}'>
<a href='#{normalized_url}'>
#{normalized_url}
</a>
</video>
</div>
HTML
when AUDIO_REGEX
"<audio #{additional_controls} controls><source src='#{url}'><a href='#{url}'>#{url}</a></audio>"
<<~HTML
<audio #{additional_controls} controls>
<source src='#{normalized_url}'>
<a href='#{normalized_url}'>
#{normalized_url}
</a>
</audio>
HTML
end
end