OpenCloud
/
mastodon
mirror of https://github.com/tootsuite/mastodon
1
1
Fork 0
Code Issues Releases Wiki Activity

Sanitize and sandbox toot embeds (#9552)

pull/9616/head
ThibG 2018-12-23 02:16:35 +01:00 committed by Eugen Rochko
parent bb62827c16
commit e25947db4a
2 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/api/web/embeds_controller.rb
View File

@ -10,6 +10,7 @@ class Api::Web::EmbedsController < Api::Web::BaseController
render json: status, serializer: OEmbedSerializer, width: 400 render json: status, serializer: OEmbedSerializer, width: 400
rescue ActiveRecord::RecordNotFound rescue ActiveRecord::RecordNotFound
oembed = FetchOEmbedService.new.call(params[:url]) oembed = FetchOEmbedService.new.call(params[:url])
oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED) if oembed[:html].present?
if oembed if oembed
render json: oembed render json: oembed

1
app/javascript/mastodon/features/ui/components/embed_modal.js
View File

@ -77,6 +77,7 @@ class EmbedModal extends ImmutablePureComponent {
className='embed-modal__iframe' className='embed-modal__iframe'
frameBorder='0' frameBorder='0'
ref={this.setIframeRef} ref={this.setIframeRef}
sandbox='allow-same-origin'
title='preview' title='preview'
/> />
</div> </div>