Sanitize and sandbox toot embeds (#9552)
This commit is contained in:
parent
bb62827c16
commit
e25947db4a
|
@ -10,6 +10,7 @@ class Api::Web::EmbedsController < Api::Web::BaseController
|
||||||
render json: status, serializer: OEmbedSerializer, width: 400
|
render json: status, serializer: OEmbedSerializer, width: 400
|
||||||
rescue ActiveRecord::RecordNotFound
|
rescue ActiveRecord::RecordNotFound
|
||||||
oembed = FetchOEmbedService.new.call(params[:url])
|
oembed = FetchOEmbedService.new.call(params[:url])
|
||||||
|
oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED) if oembed[:html].present?
|
||||||
|
|
||||||
if oembed
|
if oembed
|
||||||
render json: oembed
|
render json: oembed
|
||||||
|
|
|
@ -77,6 +77,7 @@ class EmbedModal extends ImmutablePureComponent {
|
||||||
className='embed-modal__iframe'
|
className='embed-modal__iframe'
|
||||||
frameBorder='0'
|
frameBorder='0'
|
||||||
ref={this.setIframeRef}
|
ref={this.setIframeRef}
|
||||||
|
sandbox='allow-same-origin'
|
||||||
title='preview'
|
title='preview'
|
||||||
/>
|
/>
|
||||||
</div>
|
</div>
|
||||||
|
|
Loading…
Reference in a new issue