SECURITY: don't onebox whispers

2025-05-23 13:41:04 +08:00 · 2018-02-16 08:56:13 +11:00
parent 32ad98161f
commit cda3f72ab8
2 changed files with 31 additions and 20 deletions
--- a/spec/controllers/onebox_controller_spec.rb
+++ b/spec/controllers/onebox_controller_spec.rb
@ -139,6 +139,17 @@ describe OneboxController do
      expect(response.body).not_to include('blockquote')
    end

+    it 'does not allow whisper onebox' do
+      log_in
+
+      post = create_post
+      whisper = create_post(topic_id: post.topic_id, post_type: Post.types[:whisper])
+      url = Discourse.base_url + whisper.url
+
+      get :show, params: { url: url }, format: :json
+      expect(response.body).not_to include('blockquote')
+    end
+
    it 'allows onebox to public topics/posts in PM' do
      log_in