AO3-6665 Check URL protocols of media src attributes (otwcode#4713)

redsummernight · Jan 8, 2024 · 653c19c · 653c19c
1 parent da664ae
commit 653c19c
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 20 deletions.
diff --git a/lib/otw_sanitize/media_sanitizer.rb b/lib/otw_sanitize/media_sanitizer.rb
@@ -22,31 +22,37 @@ class controls crossorigin dir height loop
         audio video source track
       ] + Sanitize::Config::ARCHIVE[:elements],
       attributes: {
-        'audio'  => AUDIO_ATTRIBUTES,
-        'video'  => VIDEO_ATTRIBUTES,
-        'source' => SOURCE_ATTRIBUTES,
-        'track'  => TRACK_ATTRIBUTES
+        "audio" => AUDIO_ATTRIBUTES,
+        "video" => VIDEO_ATTRIBUTES,
+        "source" => SOURCE_ATTRIBUTES,
+        "track" => TRACK_ATTRIBUTES
       },
       add_attributes: {
-        'audio' => {
-          'controls'    => 'controls',
-          'crossorigin' => 'anonymous',
-          'preload'     => 'metadata'
+        "audio" => {
+          "controls" => "controls",
+          "crossorigin" => "anonymous",
+          "preload" => "metadata"
         },
-        'video' => {
-          'controls'    => 'controls',
-          'playsinline' => 'playsinline',
-          'crossorigin' => 'anonymous',
-          'preload'     => 'metadata'
+        "video" => {
+          "controls" => "controls",
+          "playsinline" => "playsinline",
+          "crossorigin" => "anonymous",
+          "preload" => "metadata"
         }
       },
       protocols: {
-        'audio' => {
-          'src'    => %w[http https]
+        "audio" => {
+          "src" => %w[http https]
         },
-        'video' => {
-          'poster' => %w[http https],
-          'src'    => %w[http https]
+        "video" => {
+          "poster" => %w[http https],
+          "src" => %w[http https]
+        },
+        "source" => {
+          "src" => %w[http https]
+        },
+        "track" => {
+          "src" => %w[http https]
         }
       }
     }.freeze
@@ -102,6 +108,7 @@ def source_host
 
     def banned_source?
       return unless source_host
+
       ArchiveConfig.BANNED_MULTIMEDIA_SRCS.any? do |blocked|
         source_host.match(blocked)
       end

diff --git a/spec/lib/otw_sanitize/media_sanitizer_spec.rb b/spec/lib/otw_sanitize/media_sanitizer_spec.rb
@@ -51,8 +51,8 @@
       it "allows source elements" do
         html = "
           <video controls width='250'>
-            <source src='example.com/flower.webm' type='video/webm'>
-            <source src='example.com/flower.mp4' type='video/mp4'>
+            <source src='http://example.com/flower.webm' type='video/webm'>
+            <source src='http://example.com/flower.mp4' type='video/mp4'>
             Sorry, your browser doesn't support embedded videos.
           </video>"
         content = Sanitize.fragment(html, config)
@@ -99,6 +99,15 @@
         expect(content).not_to match("javascript")
       end
 
+      %w[audio video source track].each do |element|
+        it "removes src on #{element} elements for unsupported protocols" do
+          html = "<#{element} src='file://flower.mp4'></#{element}>"
+          content = Sanitize.fragment(html, config)
+          expect(content).not_to match("src")
+          expect(content).not_to match("file://")
+        end
+      end
+
       context "given a blacklisted source" do
         before do
           ArchiveConfig.BANNED_MULTIMEDIA_SRCS = ["google.com"]