The title of this pull request changed from “FEATURE: Censor Oneboxes” to "FEATURE: Apply censor watched words to Oneboxes
CGI.unescape_html("■") should be extracted into a constant?
What happens if the regexp is “bad” and ends up matching a LOT. Can we add some kind of protection?
What do you mean by “bad” and “a lot”? The replace is fast even when the match is very long. What can be expensive is the matching and there is no way to set a timeout for it.
I meant to replicate the protection we added on the client side in #12967.
If there’s a regexp that matches all words, or worse, characters, it could do a lot of replacements.
That protection is only for replace probably because of recursive replacements (u → you → yoyou → yoyoyou → …). We do not have this protection for censor watched words on the client side either. Would you like me to implement it there too?
@nbianca I think we need a followup cause you can still abuse the system with inline oneboxing, I guess we censor that too? also may sneak in via external link map title? not sure.