Sanitize and sandbox toot embeds (#9552)
This commit is contained in:
parent
bb62827c16
commit
e25947db4a
2 changed files with 2 additions and 0 deletions
|
@ -10,6 +10,7 @@ class Api::Web::EmbedsController < Api::Web::BaseController
|
|||
render json: status, serializer: OEmbedSerializer, width: 400
|
||||
rescue ActiveRecord::RecordNotFound
|
||||
oembed = FetchOEmbedService.new.call(params[:url])
|
||||
oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED) if oembed[:html].present?
|
||||
|
||||
if oembed
|
||||
render json: oembed
|
||||
|
|
|
@ -77,6 +77,7 @@ class EmbedModal extends ImmutablePureComponent {
|
|||
className='embed-modal__iframe'
|
||||
frameBorder='0'
|
||||
ref={this.setIframeRef}
|
||||
sandbox='allow-same-origin'
|
||||
title='preview'
|
||||
/>
|
||||
</div>
|
||||
|
|
Loading…
Reference in a new issue