Merge pull request #6177 from annando/oembed-escaping

Sanitize the OEmbed data before processing it
2018-11-21 08:06:26 -05:00 · 2018-11-21 08:06:26 -05:00 · a25df1a9c1
parent a76c00de66 aa1882fd99
commit a25df1a9c1
2 changed files with 12 additions and 2 deletions
--- a/src/Content/OEmbed.php
+++ b/src/Content/OEmbed.php
@ -247,8 +247,7 @@ class OEmbed

 		$ret .= '</div>';

-		$ret = str_replace("\n", "", $ret);
-		return mb_convert_encoding($ret, 'HTML-ENTITIES', mb_detect_encoding($ret));
+		return str_replace("\n", "", $ret);
 	}

 	public static function BBCode2HTML($text)
--- a/src/Object/OEmbed.php
+++ b/src/Object/OEmbed.php
@ -42,6 +42,17 @@ class OEmbed
 		}

 		foreach ($properties as $key => $value) {
+			if (in_array($key, ['thumbnail_width', 'thumbnail_height', 'width', 'height'])) {
+				// These values should be numbers, so ensure that they really are numbers.
+				$value = (int)$value;
+			} elseif ($key != 'html') {
+				// Avoid being able to inject some ugly stuff through these fields.
+				$value = htmlentities($value);
+			} else {
+				/// @todo Add a way to sanitize the html as well, possibly with an <iframe>?
+				$value = mb_convert_encoding($value, 'HTML-ENTITIES', mb_detect_encoding($value));
+			}
+
 			if (property_exists(__CLASS__, $key)) {
 				$this->{$key} = $value;
 			}