Merge pull request #6177 from annando/oembed-escaping
Sanitize the OEmbed data before processing it
This commit is contained in:
commit
a25df1a9c1
2 changed files with 12 additions and 2 deletions
|
@ -247,8 +247,7 @@ class OEmbed
|
||||||
|
|
||||||
$ret .= '</div>';
|
$ret .= '</div>';
|
||||||
|
|
||||||
$ret = str_replace("\n", "", $ret);
|
return str_replace("\n", "", $ret);
|
||||||
return mb_convert_encoding($ret, 'HTML-ENTITIES', mb_detect_encoding($ret));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public static function BBCode2HTML($text)
|
public static function BBCode2HTML($text)
|
||||||
|
|
|
@ -42,6 +42,17 @@ class OEmbed
|
||||||
}
|
}
|
||||||
|
|
||||||
foreach ($properties as $key => $value) {
|
foreach ($properties as $key => $value) {
|
||||||
|
if (in_array($key, ['thumbnail_width', 'thumbnail_height', 'width', 'height'])) {
|
||||||
|
// These values should be numbers, so ensure that they really are numbers.
|
||||||
|
$value = (int)$value;
|
||||||
|
} elseif ($key != 'html') {
|
||||||
|
// Avoid being able to inject some ugly stuff through these fields.
|
||||||
|
$value = htmlentities($value);
|
||||||
|
} else {
|
||||||
|
/// @todo Add a way to sanitize the html as well, possibly with an <iframe>?
|
||||||
|
$value = mb_convert_encoding($value, 'HTML-ENTITIES', mb_detect_encoding($value));
|
||||||
|
}
|
||||||
|
|
||||||
if (property_exists(__CLASS__, $key)) {
|
if (property_exists(__CLASS__, $key)) {
|
||||||
$this->{$key} = $value;
|
$this->{$key} = $value;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue