FIX: get vimeo URL from `data-original-href` iframe attribute

FIX: get vimeo URL from data-original-href iframe attribute

diff --git a/lib/pretty_text.rb b/lib/pretty_text.rb
index c32f603..7f06bb6 100644
--- a/lib/pretty_text.rb
+++ b/lib/pretty_text.rb
@@ -375,8 +375,13 @@ module PrettyText
 
   def self.convert_vimeo_iframes(doc)
     doc.css("iframe[src*='player.vimeo.com']").each do |iframe|
-      vimeo_id = iframe['src'].split('/').last
-      iframe.replace "<p><a href='https://vimeo.com/#{vimeo_id}'>https://vimeo.com/#{vimeo_id}</a></p>"
+      if iframe["data-original-href"].present?
+        vimeo_url = iframe["data-original-href"]
+      else
+        vimeo_id = iframe['src'].split('/').last
+        vimeo_url = "https://vimeo.com/#{vimeo_id}"
+      end
+      iframe.replace "<p><a href='#{vimeo_url}'>#{vimeo_url}</a></p>"
     end
   end

GitHub sha: 66582ed9

1 Like

I don’t see a security hole here, but we should always be a bit extra safe here.

What if data-original-href is > <script>alert(1)</script> I know the odds of this kind of storm hitting are close to zero cause there is an IFRAME at play, but still we should do the standard url escaping here.

3 Likes

Agreed, done in:

2 Likes