SECURITY: Fix Stored-dom XSS via Facebook Oneboxes

lib/onebox/engine/facebook_media_onebox.rb

@@ -6,7 +6,7 @@ module Onebox
       include Engine
       include StandardEmbed
 
-      matches_regexp(%r{^https?://.*\.facebook\.com/(\w+)/(videos|\?).*})
+      matches_regexp(%r{^https?://(?:www\.)?facebook\.com/(\w+)/(videos|\?).*})
       always_https
       requires_iframe_origins "https://www.facebook.com"
 

spec/lib/onebox/engine/facebook_media_onebox_spec.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+RSpec.describe Onebox::Engine::FacebookMediaOnebox do
+  describe "regex URI match" do
+    it "matches videos with title" do
+      expect(match("https://www.facebook.com/user/videos/title/123456789/")).to eq true
+    end
+
+    it "matches videos without a title" do
+      expect(match("https://facebook.com/user/videos/123456789")).to eq true
+    end
+
+    it "only matches the facebook.com domain" do
+      expect(match("https://somedomain.com/a.facebook.com/a/videos")).to eq false
+    end
+
+    def match(url)
+      Onebox::Engine::FacebookMediaOnebox === URI(url)
+    end
+  end
+end