Penar Musaraj
3debdc8131
SECURITY: XSS when oneboxing user profile location field
...
The XSS here is only possible if CSP is disabled. Low impact since CSP is enabled by default in SiteSettings.
2019-09-17 16:12:50 -04:00
Sam Saffron
30990006a9
DEV: enable frozen string literal on all files
...
This reduces chances of errors where consumers of strings mutate inputs
and reduces memory usage of the app.
Test suite passes now, but there may be some stuff left, so we will run
a few sites on a branch prior to merging
2019-05-13 09:31:32 +08:00
Tim Lange
5a9dd923cc
FIX: Onebox discourse user not respecting enable names ( #7245 )
2019-03-25 12:50:14 +05:30
Arpit Jalan
e5fd018f44
DEV: assign constant to preserve_fragment_url_hosts
2018-12-19 17:37:39 +05:30
Arpit Jalan
1ab91f0474
FIX: preserve github fragment URL
2018-12-19 12:34:47 +05:30
Guo Xiang Tan
a1e77aa2ed
FEATURE: Reimplement SiteSetting.max_oneboxes_per_post
. ( #6668 )
...
Previously, the site setting was only effective on the client side of
things. Once the site setting was been reached, all oneboxes are not
rendered. This commit changes it such that the site setting is respected
both on the client and server side. The first N oneboxes are rendered and
once the limit has been reached, subsequent oneboxes will not be
rendered.
2018-11-27 16:00:31 +08:00
Bianca Nenciu
4e0533a20b
FIX: Generate Onebox for posts of type moderator_action. ( #6466 )
2018-10-10 18:39:03 +08:00
Arpit Jalan
fadcd36f92
FIX: do not treat ignore_redirects domains as blacklisted
...
This fix prevents domains present in `ignore_redirects` to be treated as
blacklisted domains and makes sure that onboxing happens for those domains.
Issue reported here: https://meta.discourse.org/t/steam-store-oneboxing-no-longer-works/97266
2018-09-18 10:38:02 +05:30
Bianca Nenciu
b6963b8ffb
FIX: Ignore OneBox blacklisted domains.
2018-08-27 20:40:55 +02:00
Guo Xiang Tan
ad5082d969
Make rubocop happy again.
2018-06-07 13:28:18 +08:00
Régis Hanol
3c8b43bb01
FIX: non-oneboxed links on separate lines should stay on separate lines
2018-04-11 21:33:45 +02:00
Vinoth Kannan
58bb3967e5
SECURITY: Oneboxer should escape the URL before processing
2018-03-15 19:57:55 +05:30
Régis Hanol
3be0294465
FIX: local post onebox was always pointing to 1st post
2018-02-26 16:05:35 +01:00
Régis Hanol
7d7f6faf40
FIX: properly render emojis in local oneboxes
2018-02-26 11:16:53 +01:00
Régis Hanol
0799831dbe
FIX: use the avatar of the post rather than the topic in local oneboxes
2018-02-20 19:49:39 +01:00
Régis Hanol
60ec483caa
FIX: include title in local onebox when linking to a different topic
2018-02-19 22:40:14 +01:00
Régis Hanol
93b1829f04
tiny refactor
2018-02-16 11:21:11 +01:00
Sam
cda3f72ab8
SECURITY: don't onebox whispers
2018-02-16 08:57:20 +11:00
Sam
57e140dc07
FIX: oneboxing to private messages
2018-02-16 08:00:22 +11:00
Régis Hanol
8e0da35857
FIX: allow local oneboxes to public topics/posts in PM
2018-02-15 18:14:41 +01:00
Sam
f028ffaf29
SECURITY: correct local onebox category checks
...
Also removes ugly "source_topic_id" from cooked posts
Patch was authored by @zogstrip
Signed-off-by: Sam <sam.saffron@gmail.com>
2018-02-14 10:40:46 +11:00
Régis Hanol
8e55400392
FIX: add 'SiteSetting.port' to 'Onebox.allowed_ports' in development mode
2017-12-18 18:31:41 +01:00
Joffrey JAFFEUX
6cd8203686
FIX: allows onebox to force GET hosts returning wrong headers on HEAD
2017-08-08 11:44:27 +02:00
Guo Xiang Tan
5012d46cbd
Add rubocop to our build. ( #5004 )
2017-07-28 10:20:09 +09:00
Blake Erickson
6fc5ece628
FIX: onebox for dropbox video links not working
...
add dropbox to the list of ignore redirects for onebox links
2017-07-26 14:37:54 -06:00
Régis Hanol
9e03fae26c
FIX: internal oneboxing wasn't working when login was required
2017-07-17 17:33:10 +02:00
Robin Ward
db485ae0da
FIX: Support for skipping redirects on certain domains (like steam)
2017-06-26 15:38:43 -04:00
Robin Ward
0de5d01d79
FIX: Onebox wasn't using correct uri
2017-06-06 16:39:15 -04:00
Robin Ward
369bb78f8e
FIX: Support for cookies in onebox redirects
2017-06-06 15:02:11 -04:00
Robin Ward
4c690f7089
Use FinalDestination
to ensure public redirects for onebox
2017-05-22 16:42:49 -04:00
David McClure
b188c30925
FIX: Import scripts were failing to load onebox sanitize config
2017-02-25 09:27:42 -08:00
Régis Hanol
ba115480ba
FIX: wasn't extracting links to quoted posts
2017-02-06 14:45:04 +01:00
Guo Xiang Tan
d10fe51b72
Fix broken specs since all urls will be oneboxed.
2017-01-06 10:05:51 +08:00
Régis Hanol
b12b2b1911
change onebox preview key for me consistency
2016-12-20 11:18:47 +01:00
Régis Hanol
52cd9972bb
FIX: prevent DDoS with lots of _oneboxable_ links
...
FIX: ensure the onebox route is only allowed to logged in users
FIX: only allow 1 outgoing onebox preview per user
FIX: client should only do 1 preview at a time
2016-12-20 00:31:10 +01:00
Régis Hanol
a655e4b092
ensure we allow self oneboxing of login required sites
2016-11-03 22:48:32 +01:00
Régis Hanol
08d53b32ca
let's try loading onebox engines this way
2016-10-25 01:25:44 +02:00
Régis Hanol
3841cd9a7f
FEATURE: onebox everything by default
...
FEATURE: new 'max_oneboxes_per_post' site setting
FEATURE: change onebox whitelist to a blacklist
PERF: debounce the loading of oneboxes
PERF: improve perf of mention links in preview
FIX: sort loading of custom oneboxer
2016-10-24 12:46:22 +02:00
Robin Ward
0396b14b70
FEATURE: New "First Onebox" badge
2016-04-12 15:31:14 -04:00
Arpit Jalan
f38abbe279
FIX: onebox links should respect nofollow settings
2015-12-04 01:59:12 +05:30
Sam
57870b970d
correct hack and move to oneboxer
2015-09-25 20:14:53 +10:00
Sam
18a8853181
FIX: don't crash out searching for parent in oneboxer
2015-09-22 12:42:13 +10:00
Sam
88a5a676a7
lower error level on onebox failures
2015-08-24 10:43:07 +10:00
riking
5657006aca
Rename handle_exception to handle_job_exception
2015-02-09 12:47:46 -08:00
riking
d90404e830
Change 'code' to 'message'
2014-07-17 15:19:58 -07:00
Robin Ward
fc20332c0f
Lift all oneboxes out of <p>
tags.
2014-07-04 16:09:51 -04:00
Robin Ward
7bb33c28c2
Add new max_width
feature for oneboxes. Allows vimeo oneboxes to not
...
look like total garbage.
2014-06-05 13:18:18 -04:00
Sam
0bc3525b10
BUGFIX: more robust onebox implementation
2014-05-28 17:15:10 +10:00
Robin Ward
b0405d7cfa
Adds a Site Setting to whitelist onebox domains
2014-04-09 16:57:45 -04:00
Sam
239bcd19df
BUGFIX: protect ourselved against rogue onebox gem
2014-04-01 15:29:14 +11:00