Filter out img, video and audio tags in notice HTML

Because we don't want to auto-fetch items from a remote server. Such
items should be delivered as attachment metadata and portrayed in the
way the local instance chooses.

Choices for portrayal are either simply nullifying this and embedding
the data, linking the file remotely requiring a manual click or maybe
use remote oEmbed data etc. to download files locally so no remote
requests have to be made.
This commit is contained in:
Mikael Nordfeldth 2015-03-15 14:35:29 +01:00
parent a1098fa153
commit 8439efe77d
2 changed files with 21 additions and 2 deletions

View File

@ -285,6 +285,11 @@ $default =
array('handle' => false, // whether to handle sessions ourselves array('handle' => false, // whether to handle sessions ourselves
'debug' => false, // debugging output for sessions 'debug' => false, // debugging output for sessions
'gc_limit' => 1000), // max sessions to expire at a time 'gc_limit' => 1000), // max sessions to expire at a time
'htmlfilter' => array( // purify HTML through htmLawed
'img' => true,
'video' => true,
'audio' => true,
),
'notice' => 'notice' =>
array('contentlimit' => null, array('contentlimit' => null,
'defaultscope' => null, // null means 1 if site/private, 0 otherwise 'defaultscope' => null, // null means 1 if site/private, 0 otherwise

View File

@ -580,9 +580,18 @@ function common_purify($html)
{ {
require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php'; require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
$config = array('safe' => 1, $config = array('safe' => 1, // means that elements=* means elements=*-applet-embed-iframe-object-script or so
'elements' => '*',
'deny_attribute' => 'id,style,on*'); 'deny_attribute' => 'id,style,on*');
// Remove more elements than what the 'safe' filter gives (elements must be '*' before this)
// http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6
foreach (common_config('htmlfilter') as $tag=>$filter) {
if ($filter === true) {
$config['elements'] .= "-{$tag}";
}
}
$html = common_remove_unicode_formatting($html); $html = common_remove_unicode_formatting($html);
return htmLawed($html, $config); return htmLawed($html, $config);
@ -1929,9 +1938,14 @@ function common_negotiate_type($cprefs, $sprefs)
return $besttype; return $besttype;
} }
function common_config($main, $sub) function common_config($main, $sub=null)
{ {
global $config; global $config;
if (is_null($sub)) {
// Return the config category array
return array_key_exists($main, $config) ? $config[$main] : array();
}
// Return the config value
return (array_key_exists($main, $config) && return (array_key_exists($main, $config) &&
array_key_exists($sub, $config[$main])) ? $config[$main][$sub] : false; array_key_exists($sub, $config[$main])) ? $config[$main][$sub] : false;
} }