From a1421c2380d742f5e9b301901e4f78daee9aa00e Mon Sep 17 00:00:00 2001
From: Thibaut Patel <thibaut@ghost.org>
Date: Wed, 1 Dec 2021 15:14:59 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Fixes=20oembed=20bookmark=20with?=
 =?UTF-8?q?=20whitespaces?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

refs https://github.com/TryGhost/Team/issues/1200

- The leading/trailing whitespaces are trimmed by `new URL()` but are considered invalid in metascraper. Trimming solves this edge case.
---
 core/server/services/oembed.js    |  4 ++++
 test/e2e-api/admin/oembed.test.js | 13 ++++++++++++-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/core/server/services/oembed.js b/core/server/services/oembed.js
index ccf86682e7..3b72ab9daa 100644
--- a/core/server/services/oembed.js
+++ b/core/server/services/oembed.js
@@ -284,6 +284,10 @@ class OEmbed {
         try {
             const urlObject = new URL(url);
 
+            // Trimming solves the difference of url validation between `new URL(url)`
+            // and metascraper.
+            url = url.trim();
+
             for (const provider of this.customProviders) {
                 if (await provider.canSupportRequest(urlObject)) {
                     const result = await provider.getOEmbedData(urlObject, this.externalRequest);
diff --git a/test/e2e-api/admin/oembed.test.js b/test/e2e-api/admin/oembed.test.js
index 998e4bc704..ec8484ea03 100644
--- a/test/e2e-api/admin/oembed.test.js
+++ b/test/e2e-api/admin/oembed.test.js
@@ -70,7 +70,7 @@ describe('Oembed API', function () {
                     {'content-type': 'text/html'}
                 );
 
-            const url = encodeURIComponent('http://example.com');
+            const url = encodeURIComponent(' http://example.com\t '); // Whitespaces are to make sure urls are trimmed
             const res = await request.get(localUtils.API.getApiQuery(`oembed/?url=${url}&type=bookmark`))
                 .set('Origin', config.get('url'))
                 .expect('Content-Type', /json/)
@@ -150,6 +150,17 @@ describe('Oembed API', function () {
             pageMock.isDone().should.be.true();
             should.exist(res.body.errors);
         });
+
+        it('errors when fetched url is incorrect', async function () {
+            const url = encodeURIComponent('example.com');
+            const res = await request.get(localUtils.API.getApiQuery(`oembed/?type=bookmark&url=${url}`))
+                .set('Origin', config.get('url'))
+                .expect('Content-Type', /json/)
+                .expect('Cache-Control', testUtils.cacheRules.private)
+                .expect(422);
+
+            should.exist(res.body.errors);
+        });
     });
 
     describe('with unknown provider', function () {