mirror of
https://github.com/discourse/discourse.git
synced 2024-11-29 12:24:38 +08:00
SECURITY: Fix Stored-dom XSS via Facebook Oneboxes
This commit is contained in:
parent
8d5b21170e
commit
26aef0c288
|
@ -6,7 +6,7 @@ module Onebox
|
|||
include Engine
|
||||
include StandardEmbed
|
||||
|
||||
matches_regexp(%r{^https?://.*\.facebook\.com/(\w+)/(videos|\?).*})
|
||||
matches_regexp(%r{^https?://(?:www\.)?facebook\.com/(\w+)/(videos|\?).*})
|
||||
always_https
|
||||
requires_iframe_origins "https://www.facebook.com"
|
||||
|
||||
|
|
21
spec/lib/onebox/engine/facebook_media_onebox_spec.rb
Normal file
21
spec/lib/onebox/engine/facebook_media_onebox_spec.rb
Normal file
|
@ -0,0 +1,21 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
RSpec.describe Onebox::Engine::FacebookMediaOnebox do
|
||||
describe "regex URI match" do
|
||||
it "matches videos with title" do
|
||||
expect(match("https://www.facebook.com/user/videos/title/123456789/")).to eq true
|
||||
end
|
||||
|
||||
it "matches videos without a title" do
|
||||
expect(match("https://facebook.com/user/videos/123456789")).to eq true
|
||||
end
|
||||
|
||||
it "only matches the facebook.com domain" do
|
||||
expect(match("https://somedomain.com/a.facebook.com/a/videos")).to eq false
|
||||
end
|
||||
|
||||
def match(url)
|
||||
Onebox::Engine::FacebookMediaOnebox === URI(url)
|
||||
end
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue
Block a user