mirror of
https://github.com/discourse/discourse.git
synced 2024-12-05 09:56:30 +08:00
283b08d45f
* Move onebox gem in core library * Update template file path * Remove warning for onebox gem caching * Remove onebox version file * Remove onebox gem * Add sanitize gem * Require onebox library in lazy-yt plugin * Remove onebox web specific code This code was used in standalone onebox Sinatra application * Merge Discourse specific AllowlistedGenericOnebox engine in core * Fix onebox engine filenames to match class name casing * Move onebox specs from gem into core * DEV: Rename `response` helper to `onebox_response` Fixes a naming collision. * Require rails_helper * Don't use `before/after(:all)` * Whitespace * Remove fakeweb * Remove poor unit tests * DEV: Re-add fakeweb, plugins are using it * Move onebox helpers * Stub Instagram API * FIX: Follow additional redirect status codes (#476) Don’t throw errors if we encounter 303, 307 or 308 HTTP status codes in responses * Remove an empty file * DEV: Update the license file Using the copy from https://choosealicense.com/licenses/gpl-2.0/# Hopefully this will enable GitHub to show the license UI? * DEV: Update embedded copyrights * DEV: Add Onebox copyright notice * DEV: Add MIT license, convert COPYRIGHT.txt to md * DEV: Remove an incorrect copyright claim Co-authored-by: Jarek Radosz <jradosz@gmail.com> Co-authored-by: jbrw <jamie@goatforce5.org>
73 lines
2.3 KiB
Ruby
73 lines
2.3 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class Sanitize
|
|
module Config
|
|
|
|
HTTP_PROTOCOLS ||= ['http', 'https', :relative].freeze
|
|
|
|
ONEBOX ||= freeze_config merge(RELAXED,
|
|
elements: RELAXED[:elements] + %w[audio details embed iframe source video svg path],
|
|
|
|
attributes: {
|
|
'a' => RELAXED[:attributes]['a'] + %w(target),
|
|
'audio' => %w[controls controlslist],
|
|
'embed' => %w[height src type width],
|
|
'iframe' => %w[allowfullscreen frameborder height scrolling src width data-original-href data-unsanitized-src],
|
|
'source' => %w[src type],
|
|
'video' => %w[controls height loop width autoplay muted poster controlslist playsinline],
|
|
'path' => %w[d],
|
|
'svg' => ['aria-hidden', 'width', 'height', 'viewbox'],
|
|
'div' => [:data], # any data-* attributes,
|
|
'span' => [:data], # any data-* attributes
|
|
},
|
|
|
|
add_attributes: {
|
|
'iframe' => {
|
|
'seamless' => 'seamless',
|
|
'sandbox' => 'allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox' \
|
|
' allow-presentation',
|
|
}
|
|
},
|
|
|
|
transformers: (RELAXED[:transformers] || []) + [
|
|
lambda do |env|
|
|
next unless env[:node_name] == 'a'
|
|
a_tag = env[:node]
|
|
a_tag['href'] ||= '#'
|
|
if a_tag['href'] =~ %r{^(?:[a-z]+:)?//}
|
|
a_tag['rel'] = 'nofollow ugc noopener'
|
|
else
|
|
a_tag.remove_attribute('target')
|
|
end
|
|
end,
|
|
|
|
lambda do |env|
|
|
next unless env[:node_name] == 'iframe'
|
|
|
|
iframe = env[:node]
|
|
allowed_regexes = env[:config][:allowed_iframe_regexes] || [/.*/]
|
|
|
|
allowed = allowed_regexes.any? { |r| iframe["src"] =~ r }
|
|
|
|
if !allowed
|
|
# add a data attribute with the blocked src. This is not required
|
|
# but makes it much easier to troubleshoot onebox issues
|
|
iframe["data-unsanitized-src"] = iframe["src"]
|
|
iframe.remove_attribute("src")
|
|
end
|
|
end
|
|
],
|
|
|
|
protocols: {
|
|
'embed' => { 'src' => HTTP_PROTOCOLS },
|
|
'iframe' => { 'src' => HTTP_PROTOCOLS },
|
|
'source' => { 'src' => HTTP_PROTOCOLS },
|
|
},
|
|
|
|
css: {
|
|
properties: RELAXED[:css][:properties] + %w[--aspect-ratio]
|
|
}
|
|
)
|
|
end
|
|
end
|