Merge branch 'oembed_branch' into 'nightly'

purify oembed html and don't allow cdata hopefully we never need stuff in cdata reason for this is that this link serves javascript in its oembed data: https://www.maketecheasier.com/switch-windows-10-to-linux/ see: https://www.maketecheasier.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.maketecheasier.com%2Fswitch-windows-10-to-linux%2F i don't feel we want that in our database. See merge request !79
2016-01-15 13:11:35 +00:00 · 2016-01-15 13:11:35 +00:00 · 44c10bb2aa
commit 44c10bb2aa
parent a1530b0e68 ee305891c4
2 changed files with 12 additions and 3 deletions
--- a/lib/util.php
+++ b/lib/util.php
@ -581,7 +581,8 @@ function common_purify($html)

    $config = array('safe' => 1,    // means that elements=* means elements=*-applet-embed-iframe-object-script or so
                    'elements' => '*',
-                    'deny_attribute' => 'id,style,on*');
+                    'deny_attribute' => 'id,style,on*',
+                    'cdata' => 1);

    // Remove more elements than what the 'safe' filter gives (elements must be '*' before this)
    // http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6
--- a/plugins/Oembed/lib/oembedhelper.php
+++ b/plugins/Oembed/lib/oembedhelper.php
@ -158,7 +158,15 @@ class oEmbedHelper
        if(isset($key)) {
            $params['key'] = common_config('oembed','apikey');
        }
-        return HTTPClient::quickGetJson($api, $params);
+        
+        $oembed_data = HTTPClient::quickGetJson($api, $params);
+        
+        // purify html
+        if(isset($oembed_data->html)) {
+        	$oembed_data->html = common_purify($oembed_data->html);
+        	}
+        
+        return $oembed_data;
    }

    /**
@ -211,4 +219,4 @@ class oEmbedHelper_DiscoveryException extends oEmbedHelper_Exception
    {
        return parent::__construct('No oEmbed discovery data.', 0, $previous);
    }
-}
+}