Modify config of sanitize for OGP

keillera · keillera · commit e0a211722b06 · 2018-06-23T18:22:32.000+09:00
diff --git a/src/common/text_sanitizer.py b/src/common/text_sanitizer.py
@@ -35,7 +35,9 @@ def allow_div_attributes(tag, name, value):
                 return True
         if name == 'data-alis-iframely-url':
             p = urlparse(value)
-            return p.netloc == 'twitter.com'
+            is_url = len(p.scheme) > 0 and len(p.netloc) > 0
+            is_clean = True if bleach.clean(value) == value else False
+            return is_url and is_clean
         if name == 'contenteditable':
             if value == 'false':
                 return True
diff --git a/tests/common/test_text_sanitizer.py b/tests/common/test_text_sanitizer.py
@@ -68,6 +68,8 @@ def test_sanitize_article_body(self):
         </div>
         <a href="http://example.com">link</a>
         <div data-alis-iframely-url="https://twitter.com/hoge">hoge</div>
+        <div data-alis-iframely-url="https://example.com/hoge?x=1">hoge</div>
+        <div data-alis-iframely-url="http://example.com/hoge?x=1%3Cdiv%3Ehoge%3C%2Fdiv%3E">hoge</div>
         '''.format(domain=os.environ['DOMAIN'])
 
         result = TextSanitizer.sanitize_article_body(target_html)
@@ -143,7 +145,7 @@ def test_sanitize_article_body_with_div_unauthorized_url(self):
         target_html = '''
         <h2>sample h2</h2>
         <div class='hoge piyo' data='aaa' contenteditable='true'></div>
-        <div data-alis-iframely-url="https://example.com/hoge">hoge</div>
+        <div data-alis-iframely-url="https://example.com/hoge?<script>piyo</script>">hoge</div>
         '''
 
         expected_html = '''
