FIX: email styling with blacklisted iframes

discourse · Oct 21, 2016 · 2a61cc8 · 2a61cc8
1 parent 35d248a
commit 2a61cc8
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 2 deletions.
diff --git a/lib/email/styles.rb b/lib/email/styles.rb
@@ -129,13 +129,18 @@ def onebox_styles
       # iframes can't go in emails, so replace them with clickable links
       @fragment.css('iframe').each do |i|
         begin
-          src_uri = URI(i['src'])
+          # sometimes, iframes are blacklisted...
+          if i["src"].blank?
+            i.remove
+            next
+          end
 
+          src_uri = URI(i['src'])
           # If an iframe is protocol relative, use SSL when displaying it
           display_src = "#{src_uri.scheme || 'https'}://#{src_uri.host}#{src_uri.path}#{src_uri.query.nil? ? '' : '?' + src_uri.query}#{src_uri.fragment.nil? ? '' : '#' + src_uri.fragment}"
           i.replace "<p><a href='#{src_uri.to_s}'>#{CGI.escapeHTML(display_src)}</a><p>"
         rescue URI::InvalidURIError
-          # If the URL is weird, remove it
+          # If the URL is weird, remove the iframe
           i.remove
         end
       end

diff --git a/spec/components/email/styles_spec.rb b/spec/components/email/styles_spec.rb
@@ -95,6 +95,12 @@ def html_fragment(html)
       expect(frag.at('iframe')).to be_blank
       expect(frag.at('a')).to be_blank
     end
+
+    it "won't allow empty iframe src, strips them with no link" do
+      frag = html_fragment("<iframe src=''></iframe>")
+      expect(frag.at('iframe')).to be_blank
+      expect(frag.at('a')).to be_blank
+    end
   end
 
   context "rewriting protocol relative URLs to the forum" do