lib/onebox/engine/standard_embed.rb in onebox-1.7.2 vs lib/onebox/engine/standard_embed.rb in onebox-1.7.3
- old
+ new
@@ -1,5 +1,7 @@
+require "cgi"
+
module Onebox
module Engine
module StandardEmbed
def self.oembed_providers
@@ -91,18 +93,18 @@
og = {}
html_doc.css('meta').each do |m|
if (m["property"] && m["property"][/^og:(.+)$/i]) || (m["name"] && m["name"][/^og:(.+)$/i])
value = (m["content"] || m["value"]).to_s
- og[$1.tr('-:','_').to_sym] ||= value unless Onebox::Helpers::blank?(value)
+ og[$1.tr('-:','_').to_sym] ||= CGI.escapeHTML(value) unless Onebox::Helpers::blank?(value)
end
end
# Attempt to retrieve the title from the meta tag
title_element = html_doc.at_css('title')
if title_element && title_element.text
- og[:title] ||= title_element.text unless Onebox::Helpers.blank?(title_element.text)
+ og[:title] ||= CGI.escapeHTML(title_element.text) unless Onebox::Helpers.blank?(title_element.text)
end
og
end
@@ -112,10 +114,10 @@
twitter = {}
html_doc.css('meta').each do |m|
if (m["property"] && m["property"][/^twitter:(.+)$/i]) || (m["name"] && m["name"][/^twitter:(.+)$/i])
value = (m["content"] || m["value"]).to_s
- twitter[$1.tr('-:','_').to_sym] ||= value unless Onebox::Helpers::blank?(value)
+ twitter[$1.tr('-:','_').to_sym] ||= CGI.escapeHTML(value) unless Onebox::Helpers::blank?(value)
end
end
twitter
end