Merge pull request from GHSA-ccm4-vgcc-73hp

* Tighten allowed HTML in oEmbed-based preview cards * Sanitize preview cards at render time * Add `sandbox` attribute to preview card iframes
author: Claire <claire.github-309c@sitedethib.com> 2023-07-06 15:03:33 +0200
committer: Starfall <us@starfall.systems> 2023-07-07 11:45:32 -0500
commit: 5ddae512857eb143ff91741f4a35c186fac1036e (patch)
tree: eac71e9d30980d3e2927a0bc9f3e6155db23fc65 /app
parent: 609ee7b2979252464e63acbfd2eff3e0e3786f3e (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/app/serializers/rest/preview_card_serializer.rb b/app/serializers/rest/preview_card_serializer.rb
index 8413b23d8..08bc07edd 100644
--- a/app/serializers/rest/preview_card_serializer.rb
+++ b/app/serializers/rest/preview_card_serializer.rb
@@ -11,4 +11,8 @@ class REST::PreviewCardSerializer < ActiveModel::Serializer
   def image
     object.image? ? full_asset_url(object.image.url(:original)) : nil
   end
+
+  def html
+    Sanitize.fragment(object.html, Sanitize::Config::MASTODON_OEMBED)
+  end
 end
author	Claire <claire.github-309c@sitedethib.com>	2023-07-06 15:03:33 +0200
committer	Starfall <us@starfall.systems>	2023-07-07 11:45:32 -0500
commit	5ddae512857eb143ff91741f4a35c186fac1036e (patch)
tree	eac71e9d30980d3e2927a0bc9f3e6155db23fc65 /app
parent	609ee7b2979252464e63acbfd2eff3e0e3786f3e (diff)