IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: escape Vimeo iframe URL

Browse Source
This commit is contained in:
Arpit Jalan
2019-05-09 21:07:55 +05:30
parent d1dbafebbc
commit 9758857a78
2 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
spec/components/pretty_text_spec.rb
View File

@@ -748,6 +748,11 @@ describe PrettyText do
html = "<p>Contact me at <a href=\"mailto:username@me.com\">this address</a>.</p>"
expect(PrettyText.format_for_email(html, post)).to eq(html)
end
it "prefers data-original-href attribute to get Vimeo iframe link and escapes it" do
html = "<p>Check out this video <iframe src='https://player.vimeo.com/video/329875646' data-original-href='https://vimeo.com/329875646/> <script>alert(1)</script>'></iframe>.</p>"
expect(PrettyText.format_for_email(html, post)).to match(Regexp.escape("https://vimeo.com/329875646/%3E%20%3Cscript%3Ealert(1)%3C/script%3E"))
end
end
it 'Is smart about linebreaks and IMG tags' do