forked from treehouse/mastodon
Fix malformed HTML causing uncaught error (#13042)
Fix OEmbed preview API leaking existence of private statuses (see #12930)signup-info-prompt
parent
02236332ba
commit
a64973aecf
|
@ -7,15 +7,21 @@ class Api::Web::EmbedsController < Api::Web::BaseController
|
||||||
|
|
||||||
def create
|
def create
|
||||||
status = StatusFinder.new(params[:url]).status
|
status = StatusFinder.new(params[:url]).status
|
||||||
|
|
||||||
|
return not_found if status.hidden?
|
||||||
|
|
||||||
render json: status, serializer: OEmbedSerializer, width: 400
|
render json: status, serializer: OEmbedSerializer, width: 400
|
||||||
rescue ActiveRecord::RecordNotFound
|
rescue ActiveRecord::RecordNotFound
|
||||||
oembed = FetchOEmbedService.new.call(params[:url])
|
oembed = FetchOEmbedService.new.call(params[:url])
|
||||||
oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED) if oembed[:html].present?
|
|
||||||
|
|
||||||
if oembed
|
return not_found if oembed.nil?
|
||||||
|
|
||||||
|
begin
|
||||||
|
oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED)
|
||||||
|
rescue ArgumentError
|
||||||
|
return not_found
|
||||||
|
end
|
||||||
|
|
||||||
render json: oembed
|
render json: oembed
|
||||||
else
|
|
||||||
render json: {}, status: :not_found
|
|
||||||
end
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -46,6 +46,8 @@ class Formatter
|
||||||
|
|
||||||
def reformat(html)
|
def reformat(html)
|
||||||
sanitize(html, Sanitize::Config::MASTODON_STRICT)
|
sanitize(html, Sanitize::Config::MASTODON_STRICT)
|
||||||
|
rescue ArgumentError
|
||||||
|
''
|
||||||
end
|
end
|
||||||
|
|
||||||
def plaintext(status)
|
def plaintext(status)
|
||||||
|
|
Loading…
Reference in New Issue