5238f6788c
This commit introduces a new site setting: `block_hotlinked_media`. When enabled, all attempts to hotlink media (images, videos, and audio) will fail, and be replaced with a linked placeholder. Exceptions to the rule can be added via `block_hotlinked_media_exceptions`. `download_remote_image_to_local` can be used alongside this feature. In that case, hotlinked images will be blocked immediately when the post is created, but will then be replaced with the downloaded version a few seconds later. This implementation is purely server-side, and does not impact the composer preview. Technically, there are two stages to this feature: 1. `PrettyText.sanitize_hotlinked_media` is called during `PrettyText.cook`, and whenever new images are introduced by Onebox. It will iterate over all src/srcset attributes in the post HTML and check if they're allowed. If not, the attributes will be removed and replaced with a `data-blocked-hotlinked-src(set)` attribute 2. In the `CookedPostProcessor`, we iterate over all `data-blocked-hotlinked-src(set)` attributes and check whether we have a downloaded version of the media. If yes, we update the src to use the downloaded version. If not, the entire media element is replaced with a placeholder. The placeholder is labelled 'external media', and is a link to the offsite media. |
||
|---|---|---|
| .. | ||
| api_keys_spec.rb | ||
| auto_reject_reviewable_users_spec.rb | ||
| blocked_hotlinked_media_spec.rb | ||
| category_tag_spec.rb | ||
| content_security_policy_spec.rb | ||
| email_outbound_spec.rb | ||
| email_style_spec.rb | ||
| flags_spec.rb | ||
| group_spec.rb | ||
| invalid_request_spec.rb | ||
| invite_only_registration_spec.rb | ||
| message_bus_spec.rb | ||
| multisite_cookies_spec.rb | ||
| multisite_spec.rb | ||
| rate_limiting_spec.rb | ||
| same_ip_spammers_spec.rb | ||
| spam_rules_spec.rb | ||
| topic_auto_close_spec.rb | ||
| topic_thumbnail_spec.rb | ||
| watched_words_spec.rb | ||