Whitelist ALL the things (#2303)

* Whitelist embeds from mail.ru * Whitelist embeds from vk.com * Whitelist embeds from livejournal.com * Whitelist embeds from music.yandex.ru * Whitelist embeds from open.spotify.com * Whitelist embeds from giphy.com * Whitelist embeds from wistia.com * Whitelist embeds from discord * Whitelist embeds from IMDB * Whitelist embeds from ReverbNation * Whitelist new Google Maps url style
dreamwidth · Mar 24, 2018 · 83f4d28 · 83f4d28
1 parent e33a195
commit 83f4d28
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 2 deletions.
diff --git a/cgi-bin/DW/Hooks/EmbedWhitelist.pm b/cgi-bin/DW/Hooks/EmbedWhitelist.pm
@@ -63,15 +63,17 @@ my %host_path_match = (
 
     "www.dailymotion.com"   => [ qr!^/embed/video/!, 1 ],
     "dotsub.com"            => [ qr!^/media/!, 1 ],
+    "discordapp.com"        => [ qr!^/widget$!, 1 ],
 
     "episodecalendar.com"   => [ qr!^/icalendar/!, 0 ],
 
     "www.flickr.com"        => [ qr!/player/$!, 1 ],
 
     "www.goodreads.com"     => [ qr!^/widgets/!, 1 ],
+    "giphy.com"             => [ qr!^/embed/\w+!, 1 ],
 
     "maps.google.com"       => [ qr!^/maps!, 1 ],
-    "www.google.com"        => [ qr!^/calendar/!, 1 ],
+    "www.google.com"        => [ qr!^/(calendar/|maps/embed)!, 1 ],
     "calendar.google.com"   => [ qr!^/calendar/!, 1 ],
     # drawings do not need to be whitelisted as they are images.
     # forms arent being allowed for security concerns.
@@ -80,12 +82,14 @@ my %host_path_match = (
 
     "imgur.com"             => [ qr!^/a/.+?/embed!, 1 ],
     "instagram.com"         => [ qr!^/p/.*/embed/$!, 1 ],
+    "www.imdb.com"         => [ qr!^/videoembed/\w+$!, 0 ],
 
     "jsfiddle.net"          => [ qr!/embedded/$!, 1 ],
 
     "www.kickstarter.com"   => [ qr!/widget/[a-zA-Z]+\.html$!, 1 ],
 
     "www.mixcloud.com"      => [ qr!^/widget/iframe/$!, 1 ],
+    "my.mail.ru"            => [ qr!^/video/embed/\d+!, 1 ],
 
     "ext.nicovideo.jp"      => [ qr!^/thumb/!, 0 ],
     "noisetrade.com"        => [ qr!^/service/widgetv2/!, 1 ],
@@ -96,20 +100,26 @@ my %host_path_match = (
     "playmoss.com"          => [ qr!^/embed/!, 1 ],
     "www.plurk.com"         => [ qr!^/getWidget$!, 1 ],
 
+    "www.reverbnation.com"  => [ qr!^/widget_code/html_widget/artist_\d+$!, 1 ],
+
     "www.sbs.com.au"        => [ qr!/player/embed/!, 0 ],  # best guess; language parameter before /player may vary
     "scratch.mit.edu"       => [ qr!^/projects/embed/!, 1 ],
     "www.scribd.com"        => [ qr!^/embeds/!, 1 ],
     "www.slideshare.net"    => [ qr!^/slideshow/embed_code/!, 1 ],
     "w.soundcloud.com"      => [ qr!^/player/!, 1 ],
     "embed.spotify.com"     => [ qr!^/$!, 1 ],
+    "open.spotify.com"      => [ qr!^/($)|(embed/track/\w+$)!, 1 ],
 
     "embed.ted.com"         => [ qr!^/talks/!, 1 ],
 
+    "vk.com"                => [ qr!^/video_ext\.php$!, 1 ],
     "vid.me"                => [ qr!^/e/!, 1 ],
     "player.vimeo.com"      => [ qr!^/video/\d+$!, 1 ],
     "vine.co"               => [ qr!^/v/[a-zA-Z0-9]{11}/embed/simple$!, 1 ],
     # Videos seemed to use an 11-character identification; may need to be changed
 
+    "fast.wistia.com"       => [ qr!^/embed/iframe/\w+$!, 1 ],
+
     "video.yandex.ru"       => [ qr!^/iframe/[\-\w]+/[a-z0-9]+\.\d{4}/?$!, 1 ], #don't think the last part can include caps; amend if necessary
 
     "www.zippcast.com"      => [ qr!^/videoview\.php$!, 0 ],
@@ -164,6 +174,14 @@ LJ::Hooks::register_hook( 'allow_iframe_embeds', sub {
         return ( 1, 1 ) if $parsed_uri->query =~ m/format=embed/;
     }
 
+    if ( match_subdomain( "livejournal.com", $uri_host ) ) {
+        return ( 1, 1 ) if match_full_path( qr!/\d+\.html!, $uri_path ) && $parsed_uri->query =~ m/embed/;
+    }
+
+    if ( $uri_host eq "music.yandex.ru" ) {
+        return ( 1, 1 ) if $parsed_uri->fragment =~ m!track/\d+/\d+!;
+    }
+
     return 0;
 
 } );

diff --git a/t/embed-whitelist.t b/t/embed-whitelist.t
@@ -15,7 +15,7 @@
 use strict;
 use warnings;
 
-use Test::More tests => 70;
+use Test::More tests => 85;
 
 BEGIN { $LJ::_T_CONFIG = 1; require "$ENV{LJHOME}/cgi-bin/ljlib.pl"; }
 
@@ -91,6 +91,7 @@ note( "misc" );
     # D
     test_good_url( "http://www.dailymotion.com/embed/video/x1xx11x" );
     test_good_url( "http://dotsub.com/media/9db493c6-6168-44b0-89ea-e33a31db48db/e/m" );
+    test_good_url( "https://discordapp.com/widget?id=305444013354254349&theme=dark" );
 
     # E
     test_good_url( "http://episodecalendar.com/icalendar/sampleuser\@example.com/abcde/", "Will 404, but correctly-formed" );
@@ -101,8 +102,10 @@ note( "misc" );
 
     # G
     test_good_url( "http://www.goodreads.com/widgets/user_update_widget?height=400&num_updates=3&user=12345&width=250" );
+    test_good_url( "https://giphy.com/embed/Om0tF9bYdLCKI" );
 
     test_good_url( "http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=somethingsomething&aq=0&sll=00.000,-00.0000&sspn=0.00,0.0&vpsrc=0&ie=UTF8&hq=&hnear=somethingsomething&z=0&ll=0,-00&output=embed" );
+    test_good_url( "https://www.google.com/maps/embed?pb=!1m14!1m12!1m3!1d10271.13503700941!2d11.57008615!3d49.94039865!2m3!1f0!2f0!3f0!3m2!1i1024!2i768!4f13.1!5e0!3m2!1sde!2sde!4v1494881096867" );
     test_good_url( "https://www.google.com/calendar/b/0/embed?showPrint=0&showTabs=0&showCalendars=0&showTz=0&height=600&wkst=1&bgcolor=%23FFFFFF&src=foo%40group.calendar.google.com" );
     test_good_url( "https://docs.google.com/spreadsheet/pub?key=0ArL0HD_lYDPadEkxSi1DTzJDa09GUmtzWEEwUDd4WFE&output=html&widget=true" );
     test_good_url( "https://docs.google.com/spreadsheets/d/1P84CUNTo5O4ZW7R58Gl1ksCknFx3p59XzzQa7y67IaI/pubhtml?gid=23737011&single=true&widget=true&headers=false" );
@@ -112,6 +115,7 @@ note( "misc" );
     # I
     test_good_url( "//imgur.com/a/J4OKE/embed" );
     test_good_url( "//instagram.com/p/cA1pRXKGBT/embed/" );
+    test_good_url( "http://www.imdb.com/videoembed/vi1743501593" );
 
     # J
     test_good_url( "//www.jigsawplanet.com/?rc=play&amp;pid=35458f1355c4&amp;view=iframe" );
@@ -121,8 +125,15 @@ note( "misc" );
     test_good_url( "http://www.kickstarter.com/projects/25352323/arrival-a-short-film-by-alex-myung/widget/video.html" );
     test_good_url( "http://www.kickstarter.com/projects/25352323/arrival-a-short-film-by-alex-myung/widget/card.html" );
 
+    # L
+    test_good_url( "https://shad-tkhom.livejournal.com/1244088.html?embed" );
+    test_bad_url( "https://shad-tkhom.livejournal.com/1244088.html", "missing embed flag" );
+    test_bad_url( "https://shad-tkhom.livejournal.com/1244sd088.html?embed", "invalid item id" );
+    test_bad_url( "https://shad_tkhom.livejournal.com/1244sd088.html?embed", "bad username" );
+
     # M
     test_good_url( "https://www.mixcloud.com/widget/iframe/?feed=https%3A%2F%2Fwww.mixcloud.com%2Fvladmradio%2F25-podcast-from-august-24-2016%2F&hide_cover=1&light=1" );
+    test_good_url( "https://my.mail.ru/video/embed/420151911556087230" );
 
     # N
     test_good_url( "http://ext.nicovideo.jp/thumb/sm123123123" );
@@ -140,20 +151,26 @@ note( "misc" );
     test_good_url( "https://playmoss.com/embed/wingedbeastie/the-swamp-witch-nix-s-playlist" );
     test_good_url( "http://www.plurk.com/getWidget?uid=123123123&h=375&w=200&u_info=2&bg=cf682f&tl=cae7fd" );
 
+    # R
+    test_good_url( "https://www.reverbnation.com/widget_code/html_widget/artist_299962?widget_id=55&pwc[song_ids]=4189683&context_type=song&pwc[size]=small&pwc[color]=dark" );
+
     # S
     test_good_url( "http://www.sbs.com.au/yourlanguage//player/embed/id/163111" );
     test_good_url( "//scratch.mit.edu/projects/embed/144290094/?autostart=false" );
     test_good_url( "http://www.scribd.com/embeds/123123/content?start_page=1&view_mode=list&access_key=" );
     test_good_url( "http://www.slideshare.net/slideshow/embed_code/12312312" );
     test_good_url( "http://w.soundcloud.com/player/?url=http%3A%2F%2Fapi.soundcloud.com%2Ftracks%2F23318382&show_artwork=true" );
     test_good_url( "https://embed.spotify.com/?uri=spotify:track:1DeuZgn99eUC1hreXTWBvY" );
+    test_good_url( "https://open.spotify.com/embed/track/5IsdA6g8IFKGmC1xl37OG1" );
+    test_good_url( "https://open.spotify.com/?uri=spotify:track:1DeuZgn99eUC1hreXTWBvY" );
 
     # T
     test_good_url( "http://embed.ted.com/talks/handpring_puppet_co_the_genius_puppetry_behind_war_horse.html" );
     test_good_url( "http://i.cdn.turner.com/cnn/.element/apps/cvp/3.0/swf/cnn_416x234_embed.swf?context=embed&videoId=bestoftv/2012/09/05/exp-tsr-dem-platform-voice-vote.cnn" );
 
     # V
     test_good_url( "https://vid.me/e/v63?stats=1&amp;tools=1" );
+    test_good_url( "https://vk.com/video_ext.php?oid=-49280571&id=165718332&hash=5eb26e7a4cd9982d" );
 
     test_good_url( "http://player.vimeo.com/video/123123123?title=0&byline=0&portrait=0" );
     test_bad_url( "http://player.vimeo.com/video/123abc?title=0&byline=0&portrait=0" );
@@ -167,9 +184,12 @@ note( "misc" );
     test_good_url( "http://commons.wikimedia.org/wiki/File:somethingsomethingsomething.ogv?withJS=MediaWiki:MwEmbed.js&embedplayer=yes" );
     test_bad_url( "http://commons.wikimedia.org/wiki/File:1903_Burnley_Ironworks_company_steam_engine_in_use.ogv?withJS=MediaWiki:MwEmbed.js" );
 
+    test_good_url( "https://fast.wistia.com/embed/iframe/k1akcpc0ik" );
+
     # Y
     test_good_url( "https://screen.yahoo.com/fashion-photographer-life-changed-chance-193621376.html?format=embed" );
     test_good_url( "http://video.yandex.ru/iframe/v-rednaia7/9hvgcmpgkd.5440/" );
+    test_good_url( "https://music.yandex.ru/iframe/#track/31910432/247808/" );
 
     # Z
     test_good_url( "//www.zippcast.com/videoview.php?vplay=6c91dae3fc1bc909db0&auto=no" );