Merge pull request #9675 from MrPetovan/bug/9656-purify-video-embed

Allow support for allowlisted iframe sources in Content\text\BBCode::convert
This commit is contained in:
Michael Vogel 2020-12-19 17:01:08 +01:00 committed by GitHub
commit cb88be3883
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 14 additions and 15 deletions

View file

@ -502,10 +502,6 @@ You can embed video, audio and more in a message.
<td>[embed]URL[/embed]</td> <td>[embed]URL[/embed]</td>
<td>Embed OEmbed rich content.</td> <td>Embed OEmbed rich content.</td>
</tr> </tr>
<tr>
<td>[iframe]URL[/iframe]</td>
<td>General embed, iframe size is limited by the theme size for video players.</td>
</tr>
<tr> <tr>
<td>[url]*url*[/url]</td> <td>[url]*url*[/url]</td>
<td>If *url* supports oembed or opengraph specifications the embedded object will be shown (eg, documents from scribd). <td>If *url* supports oembed or opengraph specifications the embedded object will be shown (eg, documents from scribd).

View file

@ -482,10 +482,6 @@ Du kannst Videos, Musikdateien und weitere Dinge in Beitr&auml;gen einbinden.
<td>[embed]URL[/embed]</td> <td>[embed]URL[/embed]</td>
<td>OEmbed rich content einbetten.</td> <td>OEmbed rich content einbetten.</td>
</tr> </tr>
<tr>
<td>[iframe]URL[/iframe]</td>
<td>General embed, iframe size is limited by the theme size for video players.</td>
</tr>
<tr> <tr>
<td>[url]*url*[/url]</td> <td>[url]*url*[/url]</td>
<td>Wenn *url* die OEmbed- oder Opengraph-Spezifikationen unterst&uuml;tzt, wird das Objekt eingebettet (z.B. Dokumente von scribd). <td>Wenn *url* die OEmbed- oder Opengraph-Spezifikationen unterst&uuml;tzt, wird das Objekt eingebettet (z.B. Dokumente von scribd).

View file

@ -50,7 +50,7 @@ use Friendica\Util\XML;
class BBCode class BBCode
{ {
// Update this value to the current date whenever changes are made to BBCode::convert // Update this value to the current date whenever changes are made to BBCode::convert
const VERSION = '2020-12-18-small-emojis'; const VERSION = '2020-12-18-video-embeds';
const INTERNAL = 0; const INTERNAL = 0;
const API = 2; const API = 2;
@ -1622,11 +1622,8 @@ class BBCode
'<a href="$1" target="_blank" rel="noopener noreferrer">$1</a>', $text); '<a href="$1" target="_blank" rel="noopener noreferrer">$1</a>', $text);
} }
if ($try_oembed) { // Backward compatibility, [iframe] support has been removed in version 2020.12
$text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '<iframe src="$1" width="' . $a->videowidth . '" height="' . $a->videoheight . '"><a href="$1">$1</a></iframe>', $text);
} else {
$text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '<a href="$1">$1</a>', $text); $text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '<a href="$1">$1</a>', $text);
}
// Youtube extensions // Youtube extensions
if ($try_oembed) { if ($try_oembed) {
@ -1879,6 +1876,14 @@ class BBCode
$config = \HTMLPurifier_HTML5Config::createDefault(); $config = \HTMLPurifier_HTML5Config::createDefault();
$config->set('HTML.Doctype', 'HTML5'); $config->set('HTML.Doctype', 'HTML5');
$config->set('HTML.SafeIframe', true);
$config->set('URI.SafeIframeRegexp', '%^(?:
https://www.youtube.com/embed/
|
https://player.vimeo.com/video/
|
' . DI::baseUrl() . '/oembed/ # Has to change with the source in Content\Oembed::iframe
)%xi');
$config->set('Attr.AllowedRel', [ $config->set('Attr.AllowedRel', [
'noreferrer' => true, 'noreferrer' => true,
'noopener' => true, 'noopener' => true,

View file

@ -290,7 +290,8 @@ class HTML
self::tagToBBCode($doc, 'video', ['src' => '/(.+)/'], '[video]$1', '[/video]', true); self::tagToBBCode($doc, 'video', ['src' => '/(.+)/'], '[video]$1', '[/video]', true);
self::tagToBBCode($doc, 'audio', ['src' => '/(.+)/'], '[audio]$1', '[/audio]', true); self::tagToBBCode($doc, 'audio', ['src' => '/(.+)/'], '[audio]$1', '[/audio]', true);
self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], '[iframe]$1', '[/iframe]', true); // Backward compatibility, [iframe] support has been removed in version 2020.12
self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], '[url]$1', '[/url]', true);
self::tagToBBCode($doc, 'key', [], '[code]', '[/code]'); self::tagToBBCode($doc, 'key', [], '[code]', '[/code]');
self::tagToBBCode($doc, 'code', [], '[code]', '[/code]'); self::tagToBBCode($doc, 'code', [], '[code]', '[/code]');
@ -630,6 +631,7 @@ class HTML
self::tagToBBCode($doc, 'img', ['src' => '/(.+)/'], ' ', ' '); self::tagToBBCode($doc, 'img', ['src' => '/(.+)/'], ' ', ' ');
} }
// Backward compatibility, [iframe] support has been removed in version 2020.12
self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], ' $1 ', ''); self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], ' $1 ', '');
$message = $doc->saveHTML(); $message = $doc->saveHTML();