1
0
Fork 0
forked from fedi/mastodon

Fix malformed HTML causing uncaught error (#13042)

Fix OEmbed preview API leaking existence of private statuses (see #12930)
This commit is contained in:
Eugen Rochko 2020-02-07 15:24:22 +01:00 committed by GitHub
parent 02236332ba
commit a64973aecf
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 13 additions and 5 deletions

View file

@ -7,15 +7,21 @@ class Api::Web::EmbedsController < Api::Web::BaseController
def create def create
status = StatusFinder.new(params[:url]).status status = StatusFinder.new(params[:url]).status
return not_found if status.hidden?
render json: status, serializer: OEmbedSerializer, width: 400 render json: status, serializer: OEmbedSerializer, width: 400
rescue ActiveRecord::RecordNotFound rescue ActiveRecord::RecordNotFound
oembed = FetchOEmbedService.new.call(params[:url]) oembed = FetchOEmbedService.new.call(params[:url])
oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED) if oembed[:html].present?
if oembed return not_found if oembed.nil?
render json: oembed
else begin
render json: {}, status: :not_found oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED)
rescue ArgumentError
return not_found
end end
render json: oembed
end end
end end

View file

@ -46,6 +46,8 @@ class Formatter
def reformat(html) def reformat(html)
sanitize(html, Sanitize::Config::MASTODON_STRICT) sanitize(html, Sanitize::Config::MASTODON_STRICT)
rescue ArgumentError
''
end end
def plaintext(status) def plaintext(status)