FEATURE: whitelist and blacklist selectors for embeds

Gemfile

@@ -215,7 +215,11 @@ gem 'puma', require: false
 gem 'rbtrace', require: false, platform: :mri
 
 # required for feed importing and embedding
-gem 'ruby-readability', require: false
+#
+# temporary when this is merged https://github.com/cantino/ruby-readability/pull/70
+# get rid of this
+gem 'ruby-readability-discourse', require: false
+
 gem 'simple-rss', require: false
 gem 'gctools', require: false, platform: :mri_21
 gem 'stackprof', require: false, platform: :mri_21

Gemfile.lock

@@ -298,7 +298,7 @@ GEM
       rspec-mocks (~> 2.14.0)
     ruby-hmac (0.4.0)
     ruby-openid (2.5.0)
-    ruby-readability (0.6.0)
+    ruby-readability-discourse (0.6.1)
       guess_html_encoding (>= 0.0.4)
       nokogiri (>= 1.4.2)
     sanitize (2.1.0)
@@ -457,7 +457,7 @@ DEPENDENCIES
   rinku
   rspec-given
   rspec-rails
-  ruby-readability
+  ruby-readability-discourse
   sanitize
   sass
   sass-rails (~> 4.0.2)

app/models/topic_embed.rb

@@ -64,10 +64,16 @@ class TopicEmbed < ActiveRecord::Base
 
     url = normalize_url(url)
     original_uri = URI.parse(url)
-    doc = Readability::Document.new(open(url).read,
+    opts = {
-                                        tags: %w[div p code pre h1 h2 h3 b em i strong a img ul li ol blockquote],
+      tags: %w[div p code pre h1 h2 h3 b em i strong a img ul li ol blockquote],
-                                        attributes: %w[href src],
+      attributes: %w[href src],
-                                        remove_empty_nodes: false)
+      remove_empty_nodes: false
+    }
+
+    opts[:whitelist] = SiteSetting.embed_whitelist_selector if SiteSetting.embed_whitelist_selector.present?
+    opts[:blacklist] = SiteSetting.embed_blacklist_selector if SiteSetting.embed_blacklist_selector.present?
+
+    doc = Readability::Document.new(open(url).read, opts)
 
     tags = {'img' => 'src', 'script' => 'src', 'a' => 'href'}
     title = doc.title

config/locales/server.en.yml

@@ -870,6 +870,8 @@ en:
     embed_truncate: "Truncate the imported posts"
     embed_category: "Category of created topics"
     embed_post_limit: "Maximum number of posts to embed"
+    embed_whitelist_selector: "css selector for elements that are allowed in embeds"
+    embed_blacklist_selector: "css selector for elements that are removed from embeds"
     tos_accept_required: "If enabled, users will need to check a box on the signup form to confirm that they accept the terms of service. Edit 'Signup Form: Terms of Service Message' in the Content tab to change the message."
     notify_about_flags_after: "If there are flags that haven't been handled after this many hours, send an email to the contact_email. Set to 0 to disable."
 

config/site_settings.yml

@@ -425,6 +425,8 @@ embedding:
   embed_category: ''
   embed_post_limit: 100
   embed_truncate: false
+  embed_whitelist_selector: ''
+  embed_blacklist_selector: ''
 
 legal:
   tos_url: