Tighten allowed HTML in oEmbed-based preview cards

author Claire <claire.github-309c@sitedethib.com>

Wed, 7 Jun 2023 08:52:17 +0000 (10:52 +0200)

committer Claire <claire.github-309c@sitedethib.com>

Thu, 6 Jul 2023 13:43:16 +0000 (15:43 +0200)
author Claire <claire.github-309c@sitedethib.com>
Wed, 7 Jun 2023 08:52:17 +0000 (10:52 +0200)
committer Claire <claire.github-309c@sitedethib.com>
Thu, 6 Jul 2023 13:43:16 +0000 (15:43 +0200)
diff --git a/lib/sanitize_ext/sanitize_config.rb b/lib/sanitize_ext/sanitize_config.rb

index 546b745fc5307d1462db5156e80756fbe7447217..d894ab4fa83b5abf29758e1b8158b2202ae9e8b1 100644 (file)
--- a/lib/sanitize_ext/sanitize_config.rb
+++ b/lib/sanitize_ext/sanitize_config.rb
@@ -115,26 +115,22 @@ class Sanitize
        ]
      )
  
-    MASTODON_OEMBED ||= freeze_config merge(
-      RELAXED,
-      elements: RELAXED[:elements] + %w(audio embed iframe source video),
+    MASTODON_OEMBED ||= freeze_config(
+      elements: %w(audio embed iframe source video),
  
-      attributes: merge(
-        RELAXED[:attributes],
+      attributes: {
          'audio'  => %w(controls),
          'embed'  => %w(height src type width),
          'iframe' => %w(allowfullscreen frameborder height scrolling src width),
          'source' => %w(src type),
          'video'  => %w(controls height loop width),
-        'div'    => [:data]
-      ),
+      },
  
-      protocols: merge(
-        RELAXED[:protocols],
+      protocols: {
          'embed'  => { 'src' => HTTP_PROTOCOLS },
          'iframe' => { 'src' => HTTP_PROTOCOLS },
-        'source' => { 'src' => HTTP_PROTOCOLS }
-      )
+        'source' => { 'src' => HTTP_PROTOCOLS },
+      }
      )
  
      LINK_REL_TRANSFORMER = lambda do |env|
author	Claire <claire.github-309c@sitedethib.com>
	Wed, 7 Jun 2023 08:52:17 +0000 (10:52 +0200)
committer	Claire <claire.github-309c@sitedethib.com>
	Thu, 6 Jul 2023 13:43:16 +0000 (15:43 +0200)