SECURITY: Oneboxer should escape the URL before processing

lib/oneboxer.rb

@@ -1,3 +1,4 @@
+require 'uri'
 require_dependency "onebox/discourse_onebox_sanitize_config"
 require_dependency 'final_destination'
 
@@ -131,6 +132,7 @@ module Oneboxer
     end
 
     def self.onebox_raw(url, opts = {})
+      url = URI(url).to_s
       local_onebox(url, opts) || external_onebox(url)
     rescue => e
       # no point warning here, just cause we have an issue oneboxing a url

spec/components/oneboxer_spec.rb

@@ -98,4 +98,13 @@ describe Oneboxer do
 
   end
 
+  context ".onebox_raw" do
+    it "should escape the onebox URL before processing" do
+      post = Fabricate(:post, raw: Discourse.base_url + "/new?'class=black")
+      cpp = CookedPostProcessor.new(post, invalidate_oneboxes: true)
+      cpp.post_process_oneboxes
+      expect(cpp.html).to eq("<a href=\"#{Discourse.base_url}/new?%27class=black\">http://test.localhost/new?%27class=black</a>")
+    end
+  end
+
 end