mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-05-03 13:46:26 +08:00
472f9e1f78
Graphviz can generate SVG output with anchor elements containing arbitrary URLs specified by users. This change implements server-side sanitization to allow only http and https URLs.
17 lines
370 B
Ruby
17 lines
370 B
Ruby
# frozen_string_literal: true
|
|
|
|
class RebakeGraphvizPosts < ActiveRecord::Migration[7.2]
|
|
def up
|
|
# Rebake posts with graphviz graphs to apply updated link sanitization
|
|
execute <<~SQL
|
|
UPDATE posts
|
|
SET baked_version = 0
|
|
WHERE raw LIKE '%[graphviz]%'
|
|
OR cooked LIKE '%class="graphviz%'
|
|
SQL
|
|
end
|
|
|
|
def down
|
|
# Do nothing
|
|
end
|
|
end
|
