Sanitize and sandbox toot embeds (#9552)

th-downstream
ThibG 6 years ago committed by Eugen Rochko
parent eb2994d454
commit 4bf67e9cd0

@ -10,6 +10,7 @@ class Api::Web::EmbedsController < Api::Web::BaseController
render json: status, serializer: OEmbedSerializer, width: 400
rescue ActiveRecord::RecordNotFound
oembed = FetchOEmbedService.new.call(params[:url])
oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED) if oembed[:html].present?
if oembed
render json: oembed

@ -77,6 +77,7 @@ class EmbedModal extends ImmutablePureComponent {
className='embed-modal__iframe'
frameBorder='0'
ref={this.setIframeRef}
sandbox='allow-same-origin'
title='preview'
/>
</div>

Loading…
Cancel
Save