UX: add * mention to site setting description

2025-10-04 17:32:34 +08:00 · 2025-04-15 20:05:53 -03:00 · 2025-04-15 20:05:53 -03:00 · 232f220546
commit 232f220546
parent aa6d0bb685
5 changed files with 60 additions and 4 deletions
--- a/app/assets/javascripts/discourse/tests/unit/lib/sanitizer-test.js
+++ b/app/assets/javascripts/discourse/tests/unit/lib/sanitizer-test.js
@ -15,7 +15,7 @@ module("Unit | Utility | sanitizer", function (hooks) {
    const engine = build({
      siteSettings: {
        allowed_iframes:
-          "https://www.google.com/maps/embed?|https://www.openstreetmap.org/export/embed.html?",
+          "https://www.google.com/maps/embed?|https://www.openstreetmap.org/export/embed.html?|https://www.example.com/*/preview/",
      },
    });
    const cooked = (input, expected, text) =>
@ -77,6 +77,30 @@ module("Unit | Utility | sanitizer", function (hooks) {
      "allows iframe to OpenStreetMap"
    );

+    cooked(
+      '<iframe src="https://www.example.com/wild/preview/card"></iframe>',
+      '<iframe src="https://www.example.com/wild/preview/card"></iframe>',
+      "allows iframe to example.com matching wild card"
+    );
+
+    cooked(
+      '<iframe src="https://www.example.com/wild/not/card"></iframe>',
+      "",
+      "disallows iframe to example.com not matching wild card"
+    );
+
+    cooked(
+      '<iframe src="https://www.example.com/wild/not/card#/preview"></iframe>',
+      "",
+      "disallows iframe to example.com not matching wild card"
+    );
+
+    cooked(
+      '<iframe src="https://www.example.com/wild/not/card?foo=/preview"></iframe>',
+      "",
+      "disallows iframe to example.com not matching wild card"
+    );
+
    cooked(
      `BEFORE\n\n<iframe src=http://example.com>\n\nINSIDE\n\n</iframe>\n\nAFTER`,
      `<p>BEFORE</p>\n\n<p>AFTER</p>`,
--- a/app/assets/javascripts/pretty-text/addon/sanitizer.js
+++ b/app/assets/javascripts/pretty-text/addon/sanitizer.js
@ -133,7 +133,11 @@ export function sanitize(text, allowLister) {
            name === "src" &&
            !value.match(/\/\.+\//) &&
            allowedIframes.some((i) => {
-              return value.toLowerCase().startsWith((i || "").toLowerCase());
+              const regex = i
+                // escape regex, keeping *
+                .replace(/[.+?^${}()|[\]\\]/g, "\\$&")
+                .replace(/\*/g, "[^/]+");
+              return new RegExp(`^${regex}.*$`, "i").test(value);
            }))
        ) {
          return attr(name, value);
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -1885,7 +1885,7 @@ en:
    blocked_ip_blocks: "A list of private IP blocks that should never be crawled by Discourse"
    allowed_internal_hosts: "A list of internal hosts that discourse can safely crawl for oneboxing and other purposes"
    allowed_onebox_iframes: "A list of iframe src domains which are allowed via Onebox embeds. `*` will allow all default Onebox engines."
-    allowed_iframes: "A list of iframe src URL prefixes that Discourse can safely allow in posts"
+    allowed_iframes: "A list of iframe src URL prefixes that Discourse can safely allow in posts. * can be used to match any number of non-/ characters."
    allowed_crawler_user_agents: "User agents of web crawlers that should be allowed to access the site. WARNING! SETTING THIS WILL DISALLOW ALL CRAWLERS NOT LISTED HERE!"
    blocked_crawler_user_agents: "Unique case insensitive word in the user agent string identifying web crawlers that should not be allowed to access the site. Does not apply if allowlist is defined."
    slow_down_crawler_user_agents: 'User agents of web crawlers that should be rate limited as configured in the "slow down crawler rate" setting. Each value must be at least 3 characters long.'
--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -2516,7 +2516,7 @@ security:
    allow_any: false
    choices: "['*'] + Onebox::Engine.all_iframe_origins"
  allowed_iframes:
-    default: "https://www.google.com/maps/embed?|https://www.openstreetmap.org/export/embed.html?|https://calendar.google.com/calendar/embed?|https://codepen.io/|https://www.instagram.com/|https://open.spotify.com/"
+    default: "https://www.google.com/maps/embed?|https://www.openstreetmap.org/export/embed.html?|https://calendar.google.com/calendar/embed?|https://codepen.io/*/embed/preview/|https://www.instagram.com/|https://open.spotify.com/"
    type: list
    list_type: simple
    client: true
--- a/db/migrate/20250415224422_update_allowed_iframes_codepen_stricter_default.rb
+++ b/db/migrate/20250415224422_update_allowed_iframes_codepen_stricter_default.rb
@ -0,0 +1,28 @@
+# frozen_string_literal: true
+class UpdateAllowedIframesCodepenStricterDefault < ActiveRecord::Migration[7.2]
+  def change
+    prev_value =
+      DB.query_single("SELECT value FROM site_settings WHERE name = 'allowed_iframes'").first
+
+    return if prev_value.blank?
+
+    new_value =
+      prev_value.gsub(
+        %r{(^|\|)https://codepen\.io/($|\|)},
+        '\1https://codepen.io/*/embed/preview/\2',
+      )
+
+    return if new_value == prev_value
+
+    DB.exec(<<~SQL, new_value:)
+      UPDATE site_settings
+      SET value = :new_value
+      WHERE name = 'allowed_iframes'
+    SQL
+
+    DB.exec(<<~SQL, prev_value:, new_value:)
+      INSERT INTO user_histories (action, subject, previous_value, new_value, admin_only, updated_at, created_at, acting_user_id)
+      VALUES (3, 'allowed_iframes', :prev_value, :new_value, true, NOW(), NOW(), -1)
+    SQL
+  end
+end