mirror of
https://github.com/discourse/discourse.git
synced 2024-12-01 20:25:48 +08:00
46176b7dd7
Currently we’re reopening the `Sanitize::Config` class (which is part of the `sanitize` gem) to put our custom config for Onebox in it. This is unnecessary as we can simply create a dedicated module to hold our custom configuration.
83 lines
2.7 KiB
Ruby
83 lines
2.7 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
module Onebox
|
|
module SanitizeConfig
|
|
HTTP_PROTOCOLS ||= ['http', 'https', :relative].freeze
|
|
|
|
ONEBOX ||= Sanitize::Config.freeze_config(Sanitize::Config.merge(Sanitize::Config::RELAXED,
|
|
elements: Sanitize::Config::RELAXED[:elements] + %w[audio details embed iframe source video svg path],
|
|
|
|
attributes: {
|
|
'a' => Sanitize::Config::RELAXED[:attributes]['a'] + %w(target),
|
|
'audio' => %w[controls controlslist],
|
|
'embed' => %w[height src type width],
|
|
'iframe' => %w[allowfullscreen frameborder height scrolling src width data-original-href data-unsanitized-src],
|
|
'source' => %w[src type],
|
|
'video' => %w[controls height loop width autoplay muted poster controlslist playsinline],
|
|
'path' => %w[d],
|
|
'svg' => ['aria-hidden', 'width', 'height', 'viewbox'],
|
|
'div' => [:data], # any data-* attributes,
|
|
'span' => [:data], # any data-* attributes
|
|
},
|
|
|
|
add_attributes: {
|
|
'iframe' => {
|
|
'seamless' => 'seamless',
|
|
'sandbox' => 'allow-same-origin allow-scripts allow-forms allow-popups allow-popups-to-escape-sandbox' \
|
|
' allow-presentation',
|
|
}
|
|
},
|
|
|
|
transformers: (Sanitize::Config::RELAXED[:transformers] || []) + [
|
|
lambda do |env|
|
|
next unless env[:node_name] == 'a'
|
|
a_tag = env[:node]
|
|
a_tag['href'] ||= '#'
|
|
if a_tag['href'] =~ %r{^(?:[a-z]+:)?//}
|
|
a_tag['rel'] = 'nofollow ugc noopener'
|
|
else
|
|
a_tag.remove_attribute('target')
|
|
end
|
|
end,
|
|
|
|
lambda do |env|
|
|
next unless env[:node_name] == 'iframe'
|
|
|
|
iframe = env[:node]
|
|
allowed_regexes = env[:config][:allowed_iframe_regexes] || [/.*/]
|
|
|
|
allowed = allowed_regexes.any? { |r| iframe["src"] =~ r }
|
|
|
|
if !allowed
|
|
# add a data attribute with the blocked src. This is not required
|
|
# but makes it much easier to troubleshoot onebox issues
|
|
iframe["data-unsanitized-src"] = iframe["src"]
|
|
iframe.remove_attribute("src")
|
|
end
|
|
end
|
|
],
|
|
|
|
protocols: {
|
|
'embed' => { 'src' => HTTP_PROTOCOLS },
|
|
'iframe' => { 'src' => HTTP_PROTOCOLS },
|
|
'source' => { 'src' => HTTP_PROTOCOLS },
|
|
},
|
|
|
|
css: {
|
|
properties: Sanitize::Config::RELAXED[:css][:properties] + %w[--aspect-ratio]
|
|
}
|
|
))
|
|
|
|
DISCOURSE_ONEBOX ||=
|
|
Sanitize::Config.freeze_config(
|
|
Sanitize::Config.merge(
|
|
ONEBOX,
|
|
attributes: Sanitize::Config.merge(
|
|
ONEBOX[:attributes],
|
|
'aside' => [:data]
|
|
)
|
|
)
|
|
)
|
|
end
|
|
end
|