From d6b22e6cc1b19a5279774fbe3a0138caca7918ea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?R=C3=A9gis=20Hanol?= <regis@hanol.fr>
Date: Sat, 23 Dec 2017 01:56:33 +0100
Subject: [PATCH] FIX: whitelist oneboxed iframes

---
 .../engine/whitelisted_generic_onebox.rb      | 18 ++++++++++++
 .../engine/whitelisted_generic_onebox_spec.rb | 28 +++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/lib/onebox/engine/whitelisted_generic_onebox.rb b/lib/onebox/engine/whitelisted_generic_onebox.rb
index e711b960c9b..f48ad2f214e 100644
--- a/lib/onebox/engine/whitelisted_generic_onebox.rb
+++ b/lib/onebox/engine/whitelisted_generic_onebox.rb
@@ -14,6 +14,24 @@ module Onebox
         Float::INFINITY
       end
 
+      private
+
+        # overwrite to whitelist iframes
+        def is_embedded?
+          return false unless data[:html] && data[:height]
+          return true if WhitelistedGenericOnebox.html_providers.include?(data[:provider_name])
+
+          if data[:html]["iframe"]
+            fragment = Nokogiri::HTML::fragment(data[:html])
+            if iframe = fragment.at_css("iframe")
+              src = iframe["src"]
+              return src.present? && SiteSetting.allowed_iframes.split("|").any? { |url| src.start_with?(url) }
+            end
+          end
+
+          false
+        end
+
     end
   end
 end
diff --git a/spec/components/onebox/engine/whitelisted_generic_onebox_spec.rb b/spec/components/onebox/engine/whitelisted_generic_onebox_spec.rb
index f6d8c38840b..d9ccd91f785 100644
--- a/spec/components/onebox/engine/whitelisted_generic_onebox_spec.rb
+++ b/spec/components/onebox/engine/whitelisted_generic_onebox_spec.rb
@@ -15,4 +15,32 @@ describe Onebox::Engine::WhitelistedGenericOnebox do
 
   end
 
+  it "whitelists iframes" do
+    whitelisted_body = '<html><head><link rel="alternate" type="application/json+oembed" href="https://whitelist.ed/iframes.json" />'
+    blacklisted_body = '<html><head><link rel="alternate" type="application/json+oembed" href="https://blacklist.ed/iframes.json" />'
+
+    whitelisted_oembed = {
+      type: "rich",
+      height: "100",
+      html: "<iframe src='https://ifram.es/foo/bar'></iframe>"
+    }
+
+    blacklisted_oembed = {
+      type: "rich",
+      height: "100",
+      html: "<iframe src='https://malicious/discourse.org/'></iframe>"
+    }
+
+    stub_request(:get, "https://blacklist.ed/iframes").to_return(status: 200, body: blacklisted_body)
+    stub_request(:get, "https://blacklist.ed/iframes.json").to_return(status: 200, body: blacklisted_oembed.to_json)
+
+    stub_request(:get, "https://whitelist.ed/iframes").to_return(status: 200, body: whitelisted_body)
+    stub_request(:get, "https://whitelist.ed/iframes.json").to_return(status: 200, body: whitelisted_oembed.to_json)
+
+    SiteSetting.allowed_iframes = "discourse.org|https://ifram.es"
+
+    expect(Onebox.preview("https://blacklist.ed/iframes").to_s).to be_empty
+    expect(Onebox.preview("https://whitelist.ed/iframes").to_s).to match("iframe src")
+  end
+
 end