From dd6fd7fa390014e2d9ca29cd90bf3d71e8707238 Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Mon, 14 Jul 2014 16:41:05 -0400 Subject: [PATCH] FIX: Don't put iframes in emails where they are sanitized out. Replace them with links. --- lib/email/styles.rb | 14 ++++++++++++++ spec/components/email/styles_spec.rb | 15 +++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/lib/email/styles.rb b/lib/email/styles.rb index 3c78661f08e..84e602f5f87 100644 --- a/lib/email/styles.rb +++ b/lib/email/styles.rb @@ -81,6 +81,20 @@ module Email @fragment.css('aside, article, header').each do |n| n.name = "div" end + + # iframes can't go in emails, so replace them with clickable links + @fragment.css('iframe').each do |i| + begin + src_uri = URI(i['src']) + + # If an iframe is protocol relative, use SSL when displaying it + display_src = "#{src_uri.scheme || 'https://'}#{src_uri.host}#{src_uri.path}" + i.replace "

#{display_src}

" + rescue URI::InvalidURIError + # If the URL is weird, remove it + i.remove + end + end end def format_html diff --git a/spec/components/email/styles_spec.rb b/spec/components/email/styles_spec.rb index 6b4fdaed8cb..8c2b4ca9ff5 100644 --- a/spec/components/email/styles_spec.rb +++ b/spec/components/email/styles_spec.rb @@ -79,6 +79,21 @@ describe Email::Styles do expect(frag.at('ul')['style']).to be_present expect(frag.at('li')['style']).to be_present end + + it "converts iframes to links" do + iframe_url = "http://www.youtube.com/embed/7twifrxOTQY?feature=oembed&wmode=opaque" + frag = html_fragment("") + expect(frag.at('iframe')).to be_blank + expect(frag.at('a')).to be_present + expect(frag.at('a')['href']).to eq(iframe_url) + end + + it "won't allow non URLs in iframe src, strips them with no link" do + iframe_url = "alert('xss hole')" + frag = html_fragment("") + expect(frag.at('iframe')).to be_blank + expect(frag.at('a')).to be_blank + end end context "rewriting protocol relative URLs to the forum" do