Merge pull request #6177 from annando/oembed-escaping

Sanitize the OEmbed data before processing it
This commit is contained in:
Hypolite Petovan 2018-11-21 08:06:26 -05:00 committed by GitHub
commit a25df1a9c1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 2 deletions

View file

@ -247,8 +247,7 @@ class OEmbed
$ret .= '</div>'; $ret .= '</div>';
$ret = str_replace("\n", "", $ret); return str_replace("\n", "", $ret);
return mb_convert_encoding($ret, 'HTML-ENTITIES', mb_detect_encoding($ret));
} }
public static function BBCode2HTML($text) public static function BBCode2HTML($text)

View file

@ -42,6 +42,17 @@ class OEmbed
} }
foreach ($properties as $key => $value) { foreach ($properties as $key => $value) {
if (in_array($key, ['thumbnail_width', 'thumbnail_height', 'width', 'height'])) {
// These values should be numbers, so ensure that they really are numbers.
$value = (int)$value;
} elseif ($key != 'html') {
// Avoid being able to inject some ugly stuff through these fields.
$value = htmlentities($value);
} else {
/// @todo Add a way to sanitize the html as well, possibly with an <iframe>?
$value = mb_convert_encoding($value, 'HTML-ENTITIES', mb_detect_encoding($value));
}
if (property_exists(__CLASS__, $key)) { if (property_exists(__CLASS__, $key)) {
$this->{$key} = $value; $this->{$key} = $value;
} }