From: Claire <claire.github-309c@sitedethib.com>
Date: Wed, 7 Jun 2023 08:52:17 +0000 (+0200)
Subject: Tighten allowed HTML in oEmbed-based preview cards
X-Git-Url: https://git.xn--scling-oua.cat.family/?a=commitdiff_plain;h=b1dd99ca4ff4b941a9f417a35381dc6a2ac1d467;p=mastodon.git

Tighten allowed HTML in oEmbed-based preview cards

Signed-off-by: Claire <claire.github-309c@sitedethib.com>
---

diff --git a/lib/sanitize_ext/sanitize_config.rb b/lib/sanitize_ext/sanitize_config.rb
index 546b745fc..d894ab4fa 100644
--- a/lib/sanitize_ext/sanitize_config.rb
+++ b/lib/sanitize_ext/sanitize_config.rb
@@ -115,26 +115,22 @@ class Sanitize
       ]
     )
 
-    MASTODON_OEMBED ||= freeze_config merge(
-      RELAXED,
-      elements: RELAXED[:elements] + %w(audio embed iframe source video),
+    MASTODON_OEMBED ||= freeze_config(
+      elements: %w(audio embed iframe source video),
 
-      attributes: merge(
-        RELAXED[:attributes],
+      attributes: {
         'audio'  => %w(controls),
         'embed'  => %w(height src type width),
         'iframe' => %w(allowfullscreen frameborder height scrolling src width),
         'source' => %w(src type),
         'video'  => %w(controls height loop width),
-        'div'    => [:data]
-      ),
+      },
 
-      protocols: merge(
-        RELAXED[:protocols],
+      protocols: {
         'embed'  => { 'src' => HTTP_PROTOCOLS },
         'iframe' => { 'src' => HTTP_PROTOCOLS },
-        'source' => { 'src' => HTTP_PROTOCOLS }
-      )
+        'source' => { 'src' => HTTP_PROTOCOLS },
+      }
     )
 
     LINK_REL_TRANSFORMER = lambda do |env|