Filter out img, video and audio tags in notice HTML
Because we don't want to auto-fetch items from a remote server. Such items should be delivered as attachment metadata and portrayed in the way the local instance chooses. Choices for portrayal are either simply nullifying this and embedding the data, linking the file remotely requiring a manual click or maybe use remote oEmbed data etc. to download files locally so no remote requests have to be made.
This commit is contained in:
parent
a1098fa153
commit
8439efe77d
@ -285,6 +285,11 @@ $default =
|
|||||||
array('handle' => false, // whether to handle sessions ourselves
|
array('handle' => false, // whether to handle sessions ourselves
|
||||||
'debug' => false, // debugging output for sessions
|
'debug' => false, // debugging output for sessions
|
||||||
'gc_limit' => 1000), // max sessions to expire at a time
|
'gc_limit' => 1000), // max sessions to expire at a time
|
||||||
|
'htmlfilter' => array( // purify HTML through htmLawed
|
||||||
|
'img' => true,
|
||||||
|
'video' => true,
|
||||||
|
'audio' => true,
|
||||||
|
),
|
||||||
'notice' =>
|
'notice' =>
|
||||||
array('contentlimit' => null,
|
array('contentlimit' => null,
|
||||||
'defaultscope' => null, // null means 1 if site/private, 0 otherwise
|
'defaultscope' => null, // null means 1 if site/private, 0 otherwise
|
||||||
|
18
lib/util.php
18
lib/util.php
@ -580,9 +580,18 @@ function common_purify($html)
|
|||||||
{
|
{
|
||||||
require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
|
require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
|
||||||
|
|
||||||
$config = array('safe' => 1,
|
$config = array('safe' => 1, // means that elements=* means elements=*-applet-embed-iframe-object-script or so
|
||||||
|
'elements' => '*',
|
||||||
'deny_attribute' => 'id,style,on*');
|
'deny_attribute' => 'id,style,on*');
|
||||||
|
|
||||||
|
// Remove more elements than what the 'safe' filter gives (elements must be '*' before this)
|
||||||
|
// http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6
|
||||||
|
foreach (common_config('htmlfilter') as $tag=>$filter) {
|
||||||
|
if ($filter === true) {
|
||||||
|
$config['elements'] .= "-{$tag}";
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
$html = common_remove_unicode_formatting($html);
|
$html = common_remove_unicode_formatting($html);
|
||||||
|
|
||||||
return htmLawed($html, $config);
|
return htmLawed($html, $config);
|
||||||
@ -1929,9 +1938,14 @@ function common_negotiate_type($cprefs, $sprefs)
|
|||||||
return $besttype;
|
return $besttype;
|
||||||
}
|
}
|
||||||
|
|
||||||
function common_config($main, $sub)
|
function common_config($main, $sub=null)
|
||||||
{
|
{
|
||||||
global $config;
|
global $config;
|
||||||
|
if (is_null($sub)) {
|
||||||
|
// Return the config category array
|
||||||
|
return array_key_exists($main, $config) ? $config[$main] : array();
|
||||||
|
}
|
||||||
|
// Return the config value
|
||||||
return (array_key_exists($main, $config) &&
|
return (array_key_exists($main, $config) &&
|
||||||
array_key_exists($sub, $config[$main])) ? $config[$main][$sub] : false;
|
array_key_exists($sub, $config[$main])) ? $config[$main][$sub] : false;
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user