Merge pull request #6177 from annando/oembed-escaping
Sanitize the OEmbed data before processing it
This commit is contained in:
commit
a25df1a9c1
|
@ -247,8 +247,7 @@ class OEmbed
|
|||
|
||||
$ret .= '</div>';
|
||||
|
||||
$ret = str_replace("\n", "", $ret);
|
||||
return mb_convert_encoding($ret, 'HTML-ENTITIES', mb_detect_encoding($ret));
|
||||
return str_replace("\n", "", $ret);
|
||||
}
|
||||
|
||||
public static function BBCode2HTML($text)
|
||||
|
|
|
@ -42,6 +42,17 @@ class OEmbed
|
|||
}
|
||||
|
||||
foreach ($properties as $key => $value) {
|
||||
if (in_array($key, ['thumbnail_width', 'thumbnail_height', 'width', 'height'])) {
|
||||
// These values should be numbers, so ensure that they really are numbers.
|
||||
$value = (int)$value;
|
||||
} elseif ($key != 'html') {
|
||||
// Avoid being able to inject some ugly stuff through these fields.
|
||||
$value = htmlentities($value);
|
||||
} else {
|
||||
/// @todo Add a way to sanitize the html as well, possibly with an <iframe>?
|
||||
$value = mb_convert_encoding($value, 'HTML-ENTITIES', mb_detect_encoding($value));
|
||||
}
|
||||
|
||||
if (property_exists(__CLASS__, $key)) {
|
||||
$this->{$key} = $value;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue