bitPickups/friendica_2019-12_sharedHosting_hotFix
1
1
Fork 0
Code Pull requests Activity

Sanitize the OEmbed data before processing it

Browse source
This commit is contained in:
Michael 2018-11-21 07:07:24 +00:00
commit aa1882fd99
2 changed files with 12 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

3
src/Content/OEmbed.php
View file

@ -247,8 +247,7 @@ class OEmbed
$ret .= '</div>'; $ret .= '</div>';
$ret = str_replace("\n", "", $ret); return str_replace("\n", "", $ret);
return mb_convert_encoding($ret, 'HTML-ENTITIES', mb_detect_encoding($ret));
} }
public static function BBCode2HTML($text) public static function BBCode2HTML($text)

11
src/Object/OEmbed.php
View file

@ -42,6 +42,17 @@ class OEmbed
} }
foreach ($properties as $key => $value) { foreach ($properties as $key => $value) {
if (in_array($key, ['thumbnail_width', 'thumbnail_height', 'width', 'height'])) {
// These values should be numbers, so ensure that they really are numbers.
$value = (int)$value;
} elseif ($key != 'html') {
// Avoid being able to inject some ugly stuff through these fields.
$value = htmlentities($value);
} else {
/// @todo Add a way to sanitize the html as well, possibly with an <iframe>?
$value = mb_convert_encoding($value, 'HTML-ENTITIES', mb_detect_encoding($value));
}
if (property_exists(__CLASS__, $key)) { if (property_exists(__CLASS__, $key)) {
$this->{$key} = $value; $this->{$key} = $value;
} }