Allow third party images in user content

app/controllers/application_controller.rb

@@ -427,6 +427,10 @@ class ApplicationController < ActionController::Base
     request.xhr? ? "xhr" : "map"
   end
 
+  def allow_thirdparty_images
+    append_content_security_policy_directives(:img_src => %w[*])
+  end
+
   def preferred_editor
     editor = if params[:editor]
                params[:editor]

app/controllers/diary_entry_controller.rb

@@ -8,6 +8,7 @@ class DiaryEntryController < ApplicationController
   before_action :check_database_readable
   before_action :check_database_writable, :only => [:new, :edit, :comment, :hide, :hidecomment, :subscribe, :unsubscribe]
   before_action :require_administrator, :only => [:hide, :hidecomment]
+  before_action :allow_thirdparty_images, :only => [:new, :edit, :list, :view, :comments]
 
   def new
     @title = t "diary_entry.new.title"

app/controllers/message_controller.rb

@@ -7,6 +7,7 @@ class MessageController < ApplicationController
   before_action :lookup_this_user, :only => [:new]
   before_action :check_database_readable
   before_action :check_database_writable, :only => [:new, :reply, :mark]
+  before_action :allow_thirdparty_images, :only => [:new, :read]
 
   # Allow the user to write a new message to another user. This action also
   # deals with the sending of that message to the other user when the user

app/controllers/user_controller.rb

@@ -18,6 +18,7 @@ class UserController < ApplicationController
   around_action :api_call_handle_error, :only => [:api_read, :api_details, :api_gpx_files]
   before_action :lookup_user_by_id, :only => [:api_read]
   before_action :lookup_user_by_name, :only => [:set_status, :delete]
+  before_action :allow_thirdparty_images, :only => [:view, :account]
 
   def terms
     @legale = params[:legale] || OSM.ip_to_country(request.remote_ip) || DEFAULT_LEGALE