preview.rb in onebox-1.7.4

- old
+ new

@@ -1,5 +1,8 @@
+require "sanitize"
+require_relative "onebox_sanitize_config"
+
 module Onebox
   class Preview
     attr_reader :cache
 
     def initialize(link, parameters = Onebox.options)
@@ -9,18 +12,18 @@
       @engine_class = Matcher.new(@url).oneboxed
     end
 
     def to_s
       return "" unless engine
-      process_html(engine_html)
+      sanitize process_html engine_html
     rescue *Onebox::Preview.web_exceptions
       ""
     end
 
     def placeholder_html
       return "" unless engine
-      process_html(engine.placeholder_html)
+      sanitize process_html engine.placeholder_html
     rescue *Onebox::Preview.web_exceptions
       ""
     end
 
     def options
@@ -58,9 +61,13 @@
           return doc.to_html
         end
       end
 
       html
+    end
+
+    def sanitize(html)
+      Sanitize.fragment(html, Sanitize::Config::ONEBOX)
     end
 
     def engine
       return nil unless @engine_class
       @engine ||= @engine_class.new(@url, cache)