mirror of
https://github.com/discourse/discourse.git
synced 2024-11-24 17:03:13 +08:00
2f28ba318c
* FEATURE: Onebox can match engines based on the content_type `FinalDestination` now returns the `content_type` of a resolved URL. `Oneboxer` passes this value to `Onebox` itself. Onebox engines can now specify a `matches_content_type` regex of content_types that the engine can handle, regardless of the URL. `ImageOnebox` will match URLs with a content type of `image/png`, `jpg`, `gif`, `bmp`, `tif`, etc. This will allow images that exist at a URL without a file type extension to be correctly rendered, assuming a valid `content_type` is returned.
116 lines
3.9 KiB
Ruby
116 lines
3.9 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
require "rails_helper"
|
|
|
|
describe Onebox::Preview do
|
|
before do
|
|
stub_request(:get, "https://www.amazon.com/product")
|
|
.to_return(status: 200, body: onebox_response("amazon"))
|
|
end
|
|
|
|
let(:preview_url) { "http://www.amazon.com/product" }
|
|
let(:preview) { described_class.new(preview_url) }
|
|
|
|
describe "#to_s" do
|
|
before do
|
|
stub_request(:get, "https://www.amazon.com/Seven-Languages-Weeks-Programming-Programmers/dp/193435659X")
|
|
.to_return(status: 200, body: onebox_response("amazon"))
|
|
end
|
|
|
|
it "returns some html if given a valid url" do
|
|
title = "Seven Languages in Seven Weeks: A Pragmatic Guide to Learning Programming Languages (Pragmatic Programmers)"
|
|
expect(preview.to_s).to include(title)
|
|
end
|
|
|
|
it "returns an empty string if the url is not valid" do
|
|
expect(described_class.new('not a url').to_s).to eq("")
|
|
end
|
|
end
|
|
|
|
describe "max_width" do
|
|
let(:iframe_html) { '<iframe src="//player.vimeo.com/video/96017582" width="1280" height="720" frameborder="0" title="GO BIG OR GO HOME" webkitallowfullscreen mozallowfullscreen allowfullscreen></iframe>' }
|
|
|
|
it "doesn't change dimensions without an option" do
|
|
iframe = described_class.new(preview_url)
|
|
iframe.stubs(:engine_html).returns(iframe_html)
|
|
|
|
result = iframe.to_s
|
|
expect(result).to include("width=\"1280\"")
|
|
expect(result).to include("height=\"720\"")
|
|
end
|
|
|
|
it "doesn't change dimensions if it is smaller than `max_width`" do
|
|
iframe = described_class.new(preview_url, max_width: 2000)
|
|
iframe.stubs(:engine_html).returns(iframe_html)
|
|
|
|
result = iframe.to_s
|
|
expect(result).to include("width=\"1280\"")
|
|
expect(result).to include("height=\"720\"")
|
|
end
|
|
|
|
it "changes dimensions if larger than `max_width`" do
|
|
iframe = described_class.new(preview_url, max_width: 900)
|
|
iframe.stubs(:engine_html).returns(iframe_html)
|
|
|
|
result = iframe.to_s
|
|
expect(result).to include("width=\"900\"")
|
|
expect(result).to include("height=\"506\"")
|
|
end
|
|
end
|
|
|
|
describe "#engine" do
|
|
let(:preview_image_url) { "http://www.example.com/image/without/file_extension" }
|
|
let(:preview_image) { described_class.new(preview_image_url, content_type: 'image/png') }
|
|
|
|
it "returns an engine" do
|
|
expect(preview.send(:engine)).to be_an(Onebox::Engine)
|
|
end
|
|
|
|
it "can match based on content_type" do
|
|
expect(preview_image.send(:engine)).to be_an(Onebox::Engine::ImageOnebox)
|
|
end
|
|
end
|
|
|
|
describe "xss" do
|
|
let(:xss) { "wat' onerror='alert(/XSS/)" }
|
|
let(:img_html) { "<img src='#{xss}'>" }
|
|
|
|
it "prevents XSS" do
|
|
preview = described_class.new(preview_url)
|
|
preview.stubs(:engine_html).returns(img_html)
|
|
|
|
result = preview.to_s
|
|
expect(result).not_to match(/onerror/)
|
|
end
|
|
end
|
|
|
|
describe "iframe sanitizer" do
|
|
let(:iframe_html) { "<iframe src='https://thirdparty.example.com'>" }
|
|
|
|
it "sanitizes iframes from unknown origins" do
|
|
preview = described_class.new(preview_url)
|
|
preview.stubs(:engine_html).returns(iframe_html)
|
|
|
|
result = preview.to_s
|
|
expect(result).not_to include(' src="https://thirdparty.example.com"')
|
|
expect(result).to include(' data-unsanitized-src="https://thirdparty.example.com"')
|
|
end
|
|
|
|
it "allows allowed origins" do
|
|
preview = described_class.new(preview_url, allowed_iframe_origins: ["https://thirdparty.example.com"])
|
|
preview.stubs(:engine_html).returns(iframe_html)
|
|
|
|
result = preview.to_s
|
|
expect(result).to include ' src="https://thirdparty.example.com"'
|
|
end
|
|
|
|
it "allows wildcard allowed origins" do
|
|
preview = described_class.new(preview_url, allowed_iframe_origins: ["https://*.example.com"])
|
|
preview.stubs(:engine_html).returns(iframe_html)
|
|
|
|
result = preview.to_s
|
|
expect(result).to include ' src="https://thirdparty.example.com"'
|
|
end
|
|
end
|
|
end
|