From 3e7e3de554ac35653bf1a094d4694a8c43ccf289 Mon Sep 17 00:00:00 2001 From: hannes Date: Wed, 13 Jan 2016 16:01:27 +0000 Subject: [PATCH 1/2] don't allow cdata elements in purified html --- lib/util.php | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/util.php b/lib/util.php index 1d973d7100..156a40a5cb 100644 --- a/lib/util.php +++ b/lib/util.php @@ -581,7 +581,8 @@ function common_purify($html) $config = array('safe' => 1, // means that elements=* means elements=*-applet-embed-iframe-object-script or so 'elements' => '*', - 'deny_attribute' => 'id,style,on*'); + 'deny_attribute' => 'id,style,on*', + 'cdata' => 1); // Remove more elements than what the 'safe' filter gives (elements must be '*' before this) // http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6 @@ -2458,4 +2459,4 @@ function html_sprintf() function _ve($var) { return var_export($var, true); -} +} \ No newline at end of file From ee305891c43ccf8e76d107a89e1626a373d1ecaa Mon Sep 17 00:00:00 2001 From: hannes Date: Wed, 13 Jan 2016 16:03:38 +0000 Subject: [PATCH 2/2] purify oembed html --- plugins/Oembed/lib/oembedhelper.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/plugins/Oembed/lib/oembedhelper.php b/plugins/Oembed/lib/oembedhelper.php index 7abd76109a..b0527b7529 100644 --- a/plugins/Oembed/lib/oembedhelper.php +++ b/plugins/Oembed/lib/oembedhelper.php @@ -158,7 +158,15 @@ class oEmbedHelper if(isset($key)) { $params['key'] = common_config('oembed','apikey'); } - return HTTPClient::quickGetJson($api, $params); + + $oembed_data = HTTPClient::quickGetJson($api, $params); + + // purify html + if(isset($oembed_data->html)) { + $oembed_data->html = common_purify($oembed_data->html); + } + + return $oembed_data; } /** @@ -211,4 +219,4 @@ class oEmbedHelper_DiscoveryException extends oEmbedHelper_Exception { return parent::__construct('No oEmbed discovery data.', 0, $previous); } -} +} \ No newline at end of file