From d095dbcc1454beeb98aa4ab99ca1ee8754675bbf Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Wed, 1 Feb 2023 17:51:30 -0300
Subject: [PATCH 1/3] fix: usar HTML5

---
 app/models/metadata_content.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/models/metadata_content.rb b/app/models/metadata_content.rb
index 1664a18f..761518e8 100644
--- a/app/models/metadata_content.rb
+++ b/app/models/metadata_content.rb
@@ -24,7 +24,7 @@ class MetadataContent < MetadataTemplate
   end
 
   def to_s
-    Nokogiri::HTML.fragment(value).tap do |html|
+    Nokogiri::HTML5.fragment(value).tap do |html|
       html.css('[src^="public/"]').each do |element|
         element['src'] = convert_internal_path_to_src element['src']
       end
@@ -46,7 +46,7 @@ class MetadataContent < MetadataTemplate
   # TODO: En lugar de comprobar el Content Type acá, restringir los
   # tipos de archivo a aceptar en ActiveStorage.
   def sanitize(html_string)
-    html = Nokogiri::HTML.fragment(super html_string)
+    html = Nokogiri::HTML5.fragment(super html_string)
     elements = 'img,audio,video,iframe'
 
     # Eliminar elementos sin src y comprobar su origen

From 727435569c5fba11bb3b02363c041ee9af49fb39 Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Wed, 1 Feb 2023 17:51:58 -0300
Subject: [PATCH 2/3] =?UTF-8?q?fix:=20rehabilitar=20protecci=C3=B3n=20cont?=
 =?UTF-8?q?ra=20dns=20rebinding?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

lo habíamos deshabilitado en 2022 sin una explicación real y nos impide
verificar la procedencia de los archivos.
---
 config/initializers/hosts.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/config/initializers/hosts.rb b/config/initializers/hosts.rb
index 58ee2e39..db8bd9c4 100644
--- a/config/initializers/hosts.rb
+++ b/config/initializers/hosts.rb
@@ -1,11 +1,10 @@
 # frozen_string_literal: true
 
 Rails.application.configure do
-  next unless ENV['RAILS_ENV'] == 'development'
+  next Rails.env.test?
 
   domain = ENV.fetch('SUTTY', 'sutty.nl')
 
-  config.hosts << domain
   config.hosts << "panel.#{domain}"
   config.hosts << "api.#{domain}"
 end

From 28767145a5a953335cd82c154416e770d5a56822 Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Wed, 1 Feb 2023 17:54:34 -0300
Subject: [PATCH 3/3] feat: habilitar la api pero no el panel

retrocompatibilidad con sitios que llaman a api.sit.io
---
 config/initializers/hosts.rb | 1 +
 1 file changed, 1 insertion(+)

diff --git a/config/initializers/hosts.rb b/config/initializers/hosts.rb
index db8bd9c4..e0a3c2be 100644
--- a/config/initializers/hosts.rb
+++ b/config/initializers/hosts.rb
@@ -7,4 +7,5 @@ Rails.application.configure do
 
   config.hosts << "panel.#{domain}"
   config.hosts << "api.#{domain}"
+  config.hosts << /\Aapi\./
 end