Merge pull request from GHSA-ccm4-vgcc-73hp
* Tighten allowed HTML in oEmbed-based preview cards * Sanitize preview cards at render time * Add `sandbox` attribute to preview card iframespull/2274/head^2
parent
fed9cbfd2b
commit
6d8e0fae3e
|
@ -11,4 +11,8 @@ class REST::PreviewCardSerializer < ActiveModel::Serializer
|
||||||
def image
|
def image
|
||||||
object.image? ? full_asset_url(object.image.url(:original)) : nil
|
object.image? ? full_asset_url(object.image.url(:original)) : nil
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def html
|
||||||
|
Sanitize.fragment(object.html, Sanitize::Config::MASTODON_OEMBED)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -91,26 +91,26 @@ class Sanitize
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
|
|
||||||
MASTODON_OEMBED ||= freeze_config merge(
|
MASTODON_OEMBED ||= freeze_config(
|
||||||
RELAXED,
|
elements: %w(audio embed iframe source video),
|
||||||
elements: RELAXED[:elements] + %w(audio embed iframe source video),
|
|
||||||
|
|
||||||
attributes: merge(
|
attributes: {
|
||||||
RELAXED[:attributes],
|
|
||||||
'audio' => %w(controls),
|
'audio' => %w(controls),
|
||||||
'embed' => %w(height src type width),
|
'embed' => %w(height src type width),
|
||||||
'iframe' => %w(allowfullscreen frameborder height scrolling src width),
|
'iframe' => %w(allowfullscreen frameborder height scrolling src width),
|
||||||
'source' => %w(src type),
|
'source' => %w(src type),
|
||||||
'video' => %w(controls height loop width),
|
'video' => %w(controls height loop width),
|
||||||
'div' => [:data]
|
},
|
||||||
),
|
|
||||||
|
|
||||||
protocols: merge(
|
protocols: {
|
||||||
RELAXED[:protocols],
|
|
||||||
'embed' => { 'src' => HTTP_PROTOCOLS },
|
'embed' => { 'src' => HTTP_PROTOCOLS },
|
||||||
'iframe' => { 'src' => HTTP_PROTOCOLS },
|
'iframe' => { 'src' => HTTP_PROTOCOLS },
|
||||||
'source' => { 'src' => HTTP_PROTOCOLS }
|
'source' => { 'src' => HTTP_PROTOCOLS },
|
||||||
)
|
},
|
||||||
|
|
||||||
|
add_attributes: {
|
||||||
|
'iframe' => { 'sandbox' => 'allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox allow-forms' },
|
||||||
|
}
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue