FIX: whitelist oneboxed iframes

2025-06-01 01:55:46 +08:00 · 2017-12-23 01:56:33 +01:00
parent b74e933cfb
commit d6b22e6cc1
2 changed files with 46 additions and 0 deletions
--- a/lib/onebox/engine/whitelisted_generic_onebox.rb
+++ b/lib/onebox/engine/whitelisted_generic_onebox.rb
@ -14,6 +14,24 @@ module Onebox
        Float::INFINITY
      end

+      private
+
+        # overwrite to whitelist iframes
+        def is_embedded?
+          return false unless data[:html] && data[:height]
+          return true if WhitelistedGenericOnebox.html_providers.include?(data[:provider_name])
+
+          if data[:html]["iframe"]
+            fragment = Nokogiri::HTML::fragment(data[:html])
+            if iframe = fragment.at_css("iframe")
+              src = iframe["src"]
+              return src.present? && SiteSetting.allowed_iframes.split("|").any? { |url| src.start_with?(url) }
+            end
+          end
+
+          false
+        end
+
    end
  end
 end