forked from GNUsocial/gnu-social
Merge branch 'oembed_branch' into 'nightly'
purify oembed html and don't allow cdata hopefully we never need stuff in cdata reason for this is that this link serves javascript in its oembed data: https://www.maketecheasier.com/switch-windows-10-to-linux/ see: https://www.maketecheasier.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.maketecheasier.com%2Fswitch-windows-10-to-linux%2F i don't feel we want that in our database. See merge request !79
This commit is contained in:
commit
44c10bb2aa
@ -581,7 +581,8 @@ function common_purify($html)
|
|||||||
|
|
||||||
$config = array('safe' => 1, // means that elements=* means elements=*-applet-embed-iframe-object-script or so
|
$config = array('safe' => 1, // means that elements=* means elements=*-applet-embed-iframe-object-script or so
|
||||||
'elements' => '*',
|
'elements' => '*',
|
||||||
'deny_attribute' => 'id,style,on*');
|
'deny_attribute' => 'id,style,on*',
|
||||||
|
'cdata' => 1);
|
||||||
|
|
||||||
// Remove more elements than what the 'safe' filter gives (elements must be '*' before this)
|
// Remove more elements than what the 'safe' filter gives (elements must be '*' before this)
|
||||||
// http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6
|
// http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6
|
||||||
|
@ -158,7 +158,15 @@ class oEmbedHelper
|
|||||||
if(isset($key)) {
|
if(isset($key)) {
|
||||||
$params['key'] = common_config('oembed','apikey');
|
$params['key'] = common_config('oembed','apikey');
|
||||||
}
|
}
|
||||||
return HTTPClient::quickGetJson($api, $params);
|
|
||||||
|
$oembed_data = HTTPClient::quickGetJson($api, $params);
|
||||||
|
|
||||||
|
// purify html
|
||||||
|
if(isset($oembed_data->html)) {
|
||||||
|
$oembed_data->html = common_purify($oembed_data->html);
|
||||||
|
}
|
||||||
|
|
||||||
|
return $oembed_data;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@ -211,4 +219,4 @@ class oEmbedHelper_DiscoveryException extends oEmbedHelper_Exception
|
|||||||
{
|
{
|
||||||
return parent::__construct('No oEmbed discovery data.', 0, $previous);
|
return parent::__construct('No oEmbed discovery data.', 0, $previous);
|
||||||
}
|
}
|
||||||
}
|
}
|
Loading…
Reference in New Issue
Block a user