Sanitize the OEmbed data before processing it

This commit is contained in:
Michael 2018-11-21 07:07:24 +00:00
parent a76c00de66
commit aa1882fd99
2 changed files with 12 additions and 2 deletions

View file

@ -247,8 +247,7 @@ class OEmbed
$ret .= '</div>';
$ret = str_replace("\n", "", $ret);
return mb_convert_encoding($ret, 'HTML-ENTITIES', mb_detect_encoding($ret));
return str_replace("\n", "", $ret);
}
public static function BBCode2HTML($text)

View file

@ -42,6 +42,17 @@ class OEmbed
}
foreach ($properties as $key => $value) {
if (in_array($key, ['thumbnail_width', 'thumbnail_height', 'width', 'height'])) {
// These values should be numbers, so ensure that they really are numbers.
$value = (int)$value;
} elseif ($key != 'html') {
// Avoid being able to inject some ugly stuff through these fields.
$value = htmlentities($value);
} else {
/// @todo Add a way to sanitize the html as well, possibly with an <iframe>?
$value = mb_convert_encoding($value, 'HTML-ENTITIES', mb_detect_encoding($value));
}
if (property_exists(__CLASS__, $key)) {
$this->{$key} = $value;
}