mirror of https://github.com/mastodon/mastodon
Validate allowed schemes on preview card URLs (#27485)
This commit is contained in:
parent
9d45a444f9
commit
b0213472df
|
@ -55,7 +55,7 @@ class PreviewCard < ApplicationRecord
|
||||||
|
|
||||||
has_attached_file :image, processors: [:thumbnail, :blurhash_transcoder], styles: ->(f) { image_styles(f) }, convert_options: { all: '-quality 90 +profile "!icc,*" +set date:modify +set date:create +set date:timestamp' }, validate_media_type: false
|
has_attached_file :image, processors: [:thumbnail, :blurhash_transcoder], styles: ->(f) { image_styles(f) }, convert_options: { all: '-quality 90 +profile "!icc,*" +set date:modify +set date:create +set date:timestamp' }, validate_media_type: false
|
||||||
|
|
||||||
validates :url, presence: true, uniqueness: true
|
validates :url, presence: true, uniqueness: true, url: true
|
||||||
validates_attachment_content_type :image, content_type: IMAGE_MIME_TYPES
|
validates_attachment_content_type :image, content_type: IMAGE_MIME_TYPES
|
||||||
validates_attachment_size :image, less_than: LIMIT
|
validates_attachment_size :image, less_than: LIMIT
|
||||||
remotable_attachment :image, LIMIT
|
remotable_attachment :image, LIMIT
|
||||||
|
|
|
@ -0,0 +1,28 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require 'rails_helper'
|
||||||
|
|
||||||
|
describe PreviewCard do
|
||||||
|
describe 'validations' do
|
||||||
|
describe 'urls' do
|
||||||
|
it 'allows http schemes' do
|
||||||
|
record = described_class.new(url: 'http://example.host/path')
|
||||||
|
|
||||||
|
expect(record).to be_valid
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'allows https schemes' do
|
||||||
|
record = described_class.new(url: 'https://example.host/path')
|
||||||
|
|
||||||
|
expect(record).to be_valid
|
||||||
|
end
|
||||||
|
|
||||||
|
it 'does not allow javascript: schemes' do
|
||||||
|
record = described_class.new(url: 'javascript:alert()')
|
||||||
|
|
||||||
|
expect(record).to_not be_valid
|
||||||
|
expect(record).to model_have_error_on_field(:url)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue