You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add embeddable iframe comments with RSS/ATOM import and raw-HTML posts
What Changed
External sites can embed a Discourse iframe endpoint that shows a topic's top posts or enqueues background retrieval when no topic exists; embed requests are allowed only from a configured host and the iframe sends its height to the parent for dynamic resizing.
RSS/ATOM feeds can be polled hourly and feed items imported or used to update existing topics; imported items create topics/posts using the forum user configured for imports.
Imported content preserves original HTML (rendered as raw HTML), converts relative links and image sources to absolute URLs, and updates existing posts when the feed content changes.
New admin site settings to configure the embeddable host, enable feed polling, set the feed URL, and choose the importing username; database migrations add tracking for embeds and a cook method field on posts.
Background jobs and a retriever class throttle and coordinate fetches so repeated embed requests are rate-limited and duplicate imports are avoided.
Impact
✅ Embeddable comments via iframe ✅ Automatic import of RSS/ATOM feeds into topics ✅ Imported posts preserve original HTML and fixed relative links
💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
@codeant-ai ask: Your question here
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
@codeant-ai ask: Can you suggest a safer alternative to storing this secret?
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
@codeant-ai: Your feedback here
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
@codeant-ai: Do not flag unused imports.
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
@codeant-ai: review
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.
Unescaped HTML / XSS The code appends an HTML anchor built from the feed URL directly into contents without escaping. A malicious feed could provide a crafted URL (or other interpolated content) that results in XSS when later rendered as raw_html. Validate and escape or sanitize any user-supplied URLs/strings before injecting into HTML stored as raw HTML.
Raw HTML rendering / XSS risk The view uses raw post.cooked and inserts avatar URL into an unescaped src attribute. If post.cooked or avatar URL are not guaranteed sanitized/trusted, this could introduce XSS or broken markup. Confirm post.cooked is sanitized HTML and ensure attributes are escaped.
Referer check & frame policy The referer host is compared directly to SiteSetting.embeddable_host, and the controller sets X-Frame-Options: ALLOWALL. The referer can be spoofed or absent; relying solely on it may be insufficient. Setting ALLOWALL removes clickjacking protection; verify this is intentional and limit to trusted origins where possible.
Remote fetch robustness The job uses open/open-uri without explicit timeouts, SSL verification control, or error handling and passes the result directly to SimpleRSS. Network failures, slow hosts, or malicious feeds could cause the job to hang or crash. Also i.content.scrub assumes i.content is present.
Host validation brittle The host comparison uses direct equality between SiteSetting.embeddable_host and URI(@embed_url).host without normalization or support for subdomains/ports. This can cause valid embed URLs to be rejected (or invalid ones accepted) because of case, trailing dots, ports, or subdomains. It also assumes URI(@embed_url).host exists; nil hosts need handling.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
codeant-ai
Bot
added
the
size:XL
User description
Test 4
Summary by CodeRabbit
New Features
Tests
Chores
✏️ Tip: You can customize this high-level summary in your review settings.
Replicated from ai-code-review-evaluation/discourse-coderabbit#4
CodeAnt-AI Description
Add embeddable iframe comments with RSS/ATOM import and raw-HTML posts
What Changed
Impact
✅ Embeddable comments via iframe✅ Automatic import of RSS/ATOM feeds into topics✅ Imported posts preserve original HTML and fixed relative links💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.