From 0bd8a2243e88db85da363ad2101056c9361aeec2 Mon Sep 17 00:00:00 2001
From: f <f@sutty.nl>
Date: Wed, 11 Aug 2021 10:25:05 -0300
Subject: [PATCH] Solo permitir URLs web al sanitizar

fixes #2382
---
 app/models/metadata_content.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/models/metadata_content.rb b/app/models/metadata_content.rb
index 437a0dd..9d3a104 100644
--- a/app/models/metadata_content.rb
+++ b/app/models/metadata_content.rb
@@ -56,7 +56,7 @@ class MetadataContent < MetadataTemplate
         uri = URI element['src']
 
         # No permitimos recursos externos
-        element.remove unless uri.hostname.end_with? Site.domain
+        element.remove unless uri.scheme == 'https' && uri.hostname.end_with?(Site.domain)
       rescue URI::Error
         element.remove
       end