Merge branch 'oembed_branch' into 'nightly'

purify oembed html and don't allow cdata

hopefully we never need stuff in cdata

reason for this is that this link serves javascript in its oembed data: https://www.maketecheasier.com/switch-windows-10-to-linux/

see:
https://www.maketecheasier.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.maketecheasier.com%2Fswitch-windows-10-to-linux%2F

i don't feel we want that in our database.  

See merge request !79
This commit is contained in:
mmn 2016-01-15 13:11:35 +00:00
commit 44c10bb2aa
2 changed files with 12 additions and 3 deletions

View File

@ -581,7 +581,8 @@ function common_purify($html)
$config = array('safe' => 1, // means that elements=* means elements=*-applet-embed-iframe-object-script or so $config = array('safe' => 1, // means that elements=* means elements=*-applet-embed-iframe-object-script or so
'elements' => '*', 'elements' => '*',
'deny_attribute' => 'id,style,on*'); 'deny_attribute' => 'id,style,on*',
'cdata' => 1);
// Remove more elements than what the 'safe' filter gives (elements must be '*' before this) // Remove more elements than what the 'safe' filter gives (elements must be '*' before this)
// http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6 // http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6

View File

@ -158,7 +158,15 @@ class oEmbedHelper
if(isset($key)) { if(isset($key)) {
$params['key'] = common_config('oembed','apikey'); $params['key'] = common_config('oembed','apikey');
} }
return HTTPClient::quickGetJson($api, $params);
$oembed_data = HTTPClient::quickGetJson($api, $params);
// purify html
if(isset($oembed_data->html)) {
$oembed_data->html = common_purify($oembed_data->html);
}
return $oembed_data;
} }
/** /**