Sanitize and sandbox toot embeds (#9552)

2018-12-23 02:16:35 +01:00 · 2018-12-23 02:16:35 +01:00 · e25947db4a
parent bb62827c16
commit e25947db4a
2 changed files with 2 additions and 0 deletions
--- a/app/controllers/api/web/embeds_controller.rb
+++ b/app/controllers/api/web/embeds_controller.rb
@ -10,6 +10,7 @@ class Api::Web::EmbedsController < Api::Web::BaseController
    render json: status, serializer: OEmbedSerializer, width: 400
  rescue ActiveRecord::RecordNotFound
    oembed = FetchOEmbedService.new.call(params[:url])
+    oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED) if oembed[:html].present?

    if oembed
      render json: oembed
--- a/app/javascript/mastodon/features/ui/components/embed_modal.js
+++ b/app/javascript/mastodon/features/ui/components/embed_modal.js
@ -77,6 +77,7 @@ class EmbedModal extends ImmutablePureComponent {
            className='embed-modal__iframe'
            frameBorder='0'
            ref={this.setIframeRef}
+            sandbox='allow-same-origin'
            title='preview'
          />
        </div>