github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 16:11:08 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Don't put iframes in emails where they are sanitized out. Replace

Browse Source 
them with links.
This commit is contained in:
Robin Ward
2014-07-14 16:41:05 -04:00
parent 766196af87
commit dd6fd7fa39
2 changed files with 29 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
spec/components/email/styles_spec.rb
View File

@ -79,6 +79,21 @@ describe Email::Styles do
expect(frag.at('ul')['style']).to be_present
expect(frag.at('li')['style']).to be_present
end
it "converts iframes to links" do
iframe_url = "http://www.youtube.com/embed/7twifrxOTQY?feature=oembed&wmode=opaque"
frag = html_fragment("<iframe src=\"#{iframe_url}\"></iframe>")
expect(frag.at('iframe')).to be_blank
expect(frag.at('a')).to be_present
expect(frag.at('a')['href']).to eq(iframe_url)
end
it "won't allow non URLs in iframe src, strips them with no link" do
iframe_url = "alert('xss hole')"
frag = html_fragment("<iframe src=\"#{iframe_url}\"></iframe>")
expect(frag.at('iframe')).to be_blank
expect(frag.at('a')).to be_blank
end
end
context "rewriting protocol relative URLs to the forum" do