FIX: escape Vimeo iframe URL

FIX: escape Vimeo iframe URL

diff --git a/lib/pretty_text.rb b/lib/pretty_text.rb
index 7f06bb6..f3e1aa8 100644
--- a/lib/pretty_text.rb
+++ b/lib/pretty_text.rb
@@ -376,7 +376,7 @@ module PrettyText
   def self.convert_vimeo_iframes(doc)
     doc.css("iframe[src*='player.vimeo.com']").each do |iframe|
       if iframe["data-original-href"].present?
-        vimeo_url = iframe["data-original-href"]
+        vimeo_url = UrlHelper.escape_uri(iframe["data-original-href"])
       else
         vimeo_id = iframe['src'].split('/').last
         vimeo_url = "https://vimeo.com/#{vimeo_id}"
diff --git a/spec/components/pretty_text_spec.rb b/spec/components/pretty_text_spec.rb
index d56da1a..6933db7 100644
--- a/spec/components/pretty_text_spec.rb
+++ b/spec/components/pretty_text_spec.rb
@@ -748,6 +748,11 @@ describe PrettyText do
       html = "<p>Contact me at <a href=\"mailto:username@me.com\">this address</a>.</p>"
       expect(PrettyText.format_for_email(html, post)).to eq(html)
     end
+
+    it "prefers data-original-href attribute to get Vimeo iframe link and escapes it" do
+      html = "<p>Check out this video – <iframe src='https://player.vimeo.com/video/329875646' data-original-href='https://vimeo.com/329875646/> <script>alert(1)</script>'></iframe>.</p>"
+      expect(PrettyText.format_for_email(html, post)).to match(Regexp.escape("https://vimeo.com/329875646/%3E%20%3Cscript%3Ealert(1)%3C/script%3E"))
+    end
   end
 
   it 'Is smart about linebreaks and IMG tags' do

GitHub sha: 9758857a

2 Likes