cybrespace/mastodon
4
3
Fork 3
Code Issues 7 Pull requests Releases Activity

Fix malformed HTML causing uncaught error (#13042)

Browse source 
Fix OEmbed preview API leaking existence of private statuses (see #12930)
This commit is contained in:
Eugen Rochko 2020-02-07 15:24:22 +01:00 committed by GitHub
parent 02236332ba
commit a64973aecf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
app/controllers/api/web/embeds_controller.rb
View file

@ -7,15 +7,21 @@ class Api::Web::EmbedsController < Api::Web::BaseController
def create def create
status = StatusFinder.new(params[:url]).status status = StatusFinder.new(params[:url]).status
return not_found if status.hidden?
render json: status, serializer: OEmbedSerializer, width: 400 render json: status, serializer: OEmbedSerializer, width: 400
rescue ActiveRecord::RecordNotFound rescue ActiveRecord::RecordNotFound
oembed = FetchOEmbedService.new.call(params[:url]) oembed = FetchOEmbedService.new.call(params[:url])
oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED) if oembed[:html].present?
if oembed return not_found if oembed.nil?
begin
oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED)
rescue ArgumentError
return not_found
end
render json: oembed render json: oembed
else
render json: {}, status: :not_found
end
end end
end end

2
app/lib/formatter.rb
View file

@ -46,6 +46,8 @@ class Formatter
def reformat(html) def reformat(html)
sanitize(html, Sanitize::Config::MASTODON_STRICT) sanitize(html, Sanitize::Config::MASTODON_STRICT)
rescue ArgumentError
''
end end
def plaintext(status) def plaintext(status)