]> cat aescling's git repositories - mastodon.git/commitdiff
Check that twitter:player is valid before using it (#9254)
authorThibG <thib@sitedethib.com>
Sat, 10 Nov 2018 19:42:04 +0000 (20:42 +0100)
committerEugen Rochko <eugen@zeonfederated.com>
Sat, 10 Nov 2018 19:42:04 +0000 (20:42 +0100)
Fixes #9251

app/services/fetch_link_card_service.rb

index 3e77579bbac0fa2b4d7e9889512dbad8a1c3c93f..38c578de29265e87d135286426799f93bd36ddac 100644 (file)
@@ -136,14 +136,15 @@ class FetchLinkCardService < BaseService
     detector = CharlockHolmes::EncodingDetector.new
     detector.strip_tags = true
 
-    guess = detector.detect(@html, @html_charset)
-    page  = Nokogiri::HTML(@html, nil, guess&.fetch(:encoding, nil))
+    guess      = detector.detect(@html, @html_charset)
+    page       = Nokogiri::HTML(@html, nil, guess&.fetch(:encoding, nil))
+    player_url = meta_property(page, 'twitter:player')
 
-    if meta_property(page, 'twitter:player')
+    if player_url && !bad_url?(Addressable::URI.parse(player_url))
       @card.type   = :video
       @card.width  = meta_property(page, 'twitter:player:width') || 0
       @card.height = meta_property(page, 'twitter:player:height') || 0
-      @card.html   = content_tag(:iframe, nil, src: meta_property(page, 'twitter:player'),
+      @card.html   = content_tag(:iframe, nil, src: player_url,
                                                width: @card.width,
                                                height: @card.height,
                                                allowtransparency: 'true',