Merge pull request from GHSA-ccm4-vgcc-73hp

* Tighten allowed HTML in oEmbed-based preview cards * Sanitize preview cards at render time * Add `sandbox` attribute to preview card iframes
2023-07-06 15:03:33 +02:00 · 2023-07-06 15:03:33 +02:00 · 6d8e0fae3e
parent fed9cbfd2b
commit 6d8e0fae3e
2 changed files with 15 additions and 11 deletions
--- a/app/serializers/rest/preview_card_serializer.rb
+++ b/app/serializers/rest/preview_card_serializer.rb
@ -11,4 +11,8 @@ class REST::PreviewCardSerializer < ActiveModel::Serializer
  def image
    object.image? ? full_asset_url(object.image.url(:original)) : nil
  end
  def html
    Sanitize.fragment(object.html, Sanitize::Config::MASTODON_OEMBED)
  end
 end
--- a/lib/sanitize_ext/sanitize_config.rb
+++ b/lib/sanitize_ext/sanitize_config.rb
@ -91,26 +91,26 @@ class Sanitize
      ]
    )
-    MASTODON_OEMBED ||= freeze_config merge(
+    MASTODON_OEMBED ||= freeze_config(
-      RELAXED,
+      elements: %w(audio embed iframe source video),
      elements: RELAXED[:elements] + %w(audio embed iframe source video),
-      attributes: merge(
+      attributes: {
        RELAXED[:attributes],
        'audio' => %w(controls),
        'embed' => %w(height src type width),
        'iframe' => %w(allowfullscreen frameborder height scrolling src width),
        'source' => %w(src type),
        'video' => %w(controls height loop width),
-        'div' => [:data]
+      },
      ),
-      protocols: merge(
+      protocols: {
        RELAXED[:protocols],
        'embed' => { 'src' => HTTP_PROTOCOLS },
        'iframe' => { 'src' => HTTP_PROTOCOLS },
-        'source' => { 'src' => HTTP_PROTOCOLS }
+        'source' => { 'src' => HTTP_PROTOCOLS },
-      )
+      },
      add_attributes: {
        'iframe' => { 'sandbox' => 'allow-scripts allow-same-origin allow-popups allow-popups-to-escape-sandbox allow-forms' },
      }
    )
  end
 end