From 9b89c62d438acc48caa6cdf939ced90a75a86c5b Mon Sep 17 00:00:00 2001
From: ThibG <thib@sitedethib.com>
Date: Sat, 10 Nov 2018 20:42:04 +0100
Subject: [PATCH] Check that twitter:player is valid before using it (#9254)

Fixes #9251
---
 app/services/fetch_link_card_service.rb | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/app/services/fetch_link_card_service.rb b/app/services/fetch_link_card_service.rb
index 3e77579bb..38c578de2 100644
--- a/app/services/fetch_link_card_service.rb
+++ b/app/services/fetch_link_card_service.rb
@@ -136,14 +136,15 @@ class FetchLinkCardService < BaseService
     detector = CharlockHolmes::EncodingDetector.new
     detector.strip_tags = true
 
-    guess = detector.detect(@html, @html_charset)
-    page  = Nokogiri::HTML(@html, nil, guess&.fetch(:encoding, nil))
+    guess      = detector.detect(@html, @html_charset)
+    page       = Nokogiri::HTML(@html, nil, guess&.fetch(:encoding, nil))
+    player_url = meta_property(page, 'twitter:player')
 
-    if meta_property(page, 'twitter:player')
+    if player_url && !bad_url?(Addressable::URI.parse(player_url))
       @card.type   = :video
       @card.width  = meta_property(page, 'twitter:player:width') || 0
       @card.height = meta_property(page, 'twitter:player:height') || 0
-      @card.html   = content_tag(:iframe, nil, src: meta_property(page, 'twitter:player'),
+      @card.html   = content_tag(:iframe, nil, src: player_url,
                                                width: @card.width,
                                                height: @card.height,
                                                allowtransparency: 'true',