Skip to content

AO3-7443 Remove Google from embed allowlist #5806

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sarken wants to merge 1 commit into
base: master
Choose a base branch
from
+3 −12
Open

AO3-7443 Remove Google from embed allowlist #5806

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 2 additions & 3 deletions lib/otw_sanitize/embed_sanitizer.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,6 @@ class EmbedSanitizer
archiveorg: %r{^archive\.org/embed/},
bilibili: %r{^(player\.)?bilibili\.com/},
criticalcommons: %r{^criticalcommons\.org/},
google: %r{^google\.com/},
podfic: %r{^podfic\.com/},
soundcloud: %r{^(w\.)?soundcloud\.com/},
spotify: %r{^(open\.)?spotify\.com/},
Expand All @@ -23,8 +22,8 @@ class EmbedSanitizer
}.freeze

ALLOWS_FLASHVARS = %i[
criticalcommons eighttracks google
podfic soundcloud spotify viddersnet
criticalcommons eighttracks podfic
soundcloud spotify viddersnet
].freeze

SUPPORTS_HTTPS = %i[
Expand Down
10 changes: 1 addition & 9 deletions spec/lib/html_cleaner_spec.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ def one_cell_table(content)
ArchiveConfig.FIELDS_ALLOWING_MEDIA_EMBEDS.each do |field|
context "#{field} is configured to allow media embeds" do
%w[youtube.com youtube-nocookie.com vimeo.com player.vimeo.com
vidders.net criticalcommons.org google.com podfic.com archive.org
vidders.net criticalcommons.org podfic.com archive.org
open.spotify.com spotify.com w.soundcloud.com soundcloud.com viddertube.com
bilibili.com player.bilibili.com 4shared.com/web/embed audio.com/embed/audio].each do |source|

Expand Down Expand Up @@ -43,14 +43,6 @@ def one_cell_table(content)
end
end

it "keeps google player embeds without closing tag" do
# HTML5 disallows </embed>, according to https://developer.mozilla.org/en-US/docs/Web/HTML/Reference/Elements/embed#technical_summary
html1 = '<embed type="application/x-shockwave-flash" flashvars="audioUrl=http://dl.dropbox.com/u/123/foo.mp3" src="http://www.google.com/reader/ui/123-audio-player.swf" width="400" height="27" allowscriptaccess="never" allownetworking="internal">'
html2 = "#{html1}</embed>"
result = sanitize_value(field, html2)
expect(result).to eq(html1)
end

it "strips embeds with unknown source" do
html = '<embed src="http://www.evil.org"></embed>'
result = sanitize_value(field, html)
Expand Down
Loading