Enhance embed URL handling and validation system#7
Conversation
![augmentcode[bot]](https://avatars.githubusercontent.com/in/1027498?s=60&v=4){kind=small}
| <%= link_to(I18n.t('embed.title'), @topic_view.topic.url, class: 'button', target: '_blank') %> | ||
| <%- else %> | ||
| <%= link_to(I18n.t('embed.start_discussion'), @topic_view.topic.url, class: 'button', target: '_blank') %> | ||
| <%- end if %> |
There was a problem hiding this comment.
ERB syntax looks invalid here: <%- end if %> should close the earlier if with just end. This will raise a template compilation error and prevent the page from rendering.
🤖 Was this useful? React with 👍 or 👎
| window.onload = function() { | ||
| if (parent) { | ||
| // Send a post message with our loaded height | ||
| parent.postMessage({type: 'discourse-resize', height: document['body'].offsetHeight}, '<%= request.referer %>'); |
There was a problem hiding this comment.
The postMessage targetOrigin should be an origin (scheme://host[:port]), not the full referrer URL; passing a full URL may cause the message to be dropped by the browser. Consider restricting this to the referer origin to ensure the iframe resize message is delivered.
🤖 Was this useful? React with 👍 or 👎
| # If there is no embed, create a topic, post and the embed. | ||
| if embed.blank? | ||
| Topic.transaction do | ||
| creator = PostCreator.new(user, title: title, raw: absolutize_urls(url, contents), skip_validations: true, cook_method: Post.cook_methods[:raw_html]) |
There was a problem hiding this comment.
Rendering imported feed content with cook_method: Post.cook_methods[:raw_html] bypasses sanitization and can allow untrusted HTML into posts (XSS risk), especially for RSS/ATOM imports. It would be safer to ensure the content is sanitized/whitelisted before rendering or avoid using the raw HTML cook method for external content.
🤖 Was this useful? React with 👍 or 👎
| url = i.link | ||
| url = i.id if url.blank? || url !~ /^https?\:\/\// | ||
|
|
||
| content = CGI.unescapeHTML(i.content.scrub) |
There was a problem hiding this comment.
Some feeds do not include an item.content; calling scrub on nil here will raise and halt polling. Consider handling missing content (e.g., falling back to description or skipping items without content).
🤖 Was this useful? React with 👍 or 👎
2 participants
No description provided.