Fix malformed HTML causing uncaught error (#13042)

Fix OEmbed preview API leaking existence of private statuses (see #12930)

Fix malformed HTML causing uncaught error (#13042)
a64973ae · Eugen Rochko · GitHub · 02236332 · a64973ae · a64973ae
Unverified Commit a64973ae authored 5 years ago by Eugen Rochko Committed by GitHub 5 years ago
--- a/app/controllers/api/web/embeds_controller.rb
+++ b/app/controllers/api/web/embeds_controller.rb
@@ -7,15 +7,21 @@ class Api::Web::EmbedsController < Api::Web::BaseController

  def create
    status = StatusFinder.new(params[:url]).status
+
+    return not_found if status.hidden?
+
    render json: status, serializer: OEmbedSerializer, width: 400
  rescue ActiveRecord::RecordNotFound
    oembed = FetchOEmbedService.new.call(params[:url])
-    oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED) if oembed[:html].present?

-    if oembed
-      render json: oembed
-    else
-      render json: {}, status: :not_found
+    return not_found if oembed.nil?
+
+    begin
+      oembed[:html] = Formatter.instance.sanitize(oembed[:html], Sanitize::Config::MASTODON_OEMBED)
+    rescue ArgumentError
+      return not_found
    end
+
+    render json: oembed
  end
 end
--- a/app/lib/formatter.rb
+++ b/app/lib/formatter.rb
@@ -46,6 +46,8 @@ class Formatter

  def reformat(html)
    sanitize(html, Sanitize::Config::MASTODON_STRICT)
+  rescue ArgumentError
+    ''
  end

  def plaintext(status)