Remove support for [iframe] BBCode
- It was a huge gaping security hole, and now HTML Purify will remove the src attribute of all non-allowed sources anyway.
This commit is contained in:
parent
13c7224789
commit
ec0c9dcdb1
4 changed files with 5 additions and 14 deletions
|
@ -502,10 +502,6 @@ You can embed video, audio and more in a message.
|
||||||
<td>[embed]URL[/embed]</td>
|
<td>[embed]URL[/embed]</td>
|
||||||
<td>Embed OEmbed rich content.</td>
|
<td>Embed OEmbed rich content.</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
|
||||||
<td>[iframe]URL[/iframe]</td>
|
|
||||||
<td>General embed, iframe size is limited by the theme size for video players.</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
<tr>
|
||||||
<td>[url]*url*[/url]</td>
|
<td>[url]*url*[/url]</td>
|
||||||
<td>If *url* supports oembed or opengraph specifications the embedded object will be shown (eg, documents from scribd).
|
<td>If *url* supports oembed or opengraph specifications the embedded object will be shown (eg, documents from scribd).
|
||||||
|
|
|
@ -482,10 +482,6 @@ Du kannst Videos, Musikdateien und weitere Dinge in Beiträgen einbinden.
|
||||||
<td>[embed]URL[/embed]</td>
|
<td>[embed]URL[/embed]</td>
|
||||||
<td>OEmbed rich content einbetten.</td>
|
<td>OEmbed rich content einbetten.</td>
|
||||||
</tr>
|
</tr>
|
||||||
<tr>
|
|
||||||
<td>[iframe]URL[/iframe]</td>
|
|
||||||
<td>General embed, iframe size is limited by the theme size for video players.</td>
|
|
||||||
</tr>
|
|
||||||
<tr>
|
<tr>
|
||||||
<td>[url]*url*[/url]</td>
|
<td>[url]*url*[/url]</td>
|
||||||
<td>Wenn *url* die OEmbed- oder Opengraph-Spezifikationen unterstützt, wird das Objekt eingebettet (z.B. Dokumente von scribd).
|
<td>Wenn *url* die OEmbed- oder Opengraph-Spezifikationen unterstützt, wird das Objekt eingebettet (z.B. Dokumente von scribd).
|
||||||
|
|
|
@ -1622,11 +1622,8 @@ class BBCode
|
||||||
'<a href="$1" target="_blank" rel="noopener noreferrer">$1</a>', $text);
|
'<a href="$1" target="_blank" rel="noopener noreferrer">$1</a>', $text);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($try_oembed) {
|
// Backward compatibility, [iframe] support has been removed in version 2020.12
|
||||||
$text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '<iframe src="$1" width="' . $a->videowidth . '" height="' . $a->videoheight . '"><a href="$1">$1</a></iframe>', $text);
|
$text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '<a href="$1">$1</a>', $text);
|
||||||
} else {
|
|
||||||
$text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '<a href="$1">$1</a>', $text);
|
|
||||||
}
|
|
||||||
|
|
||||||
// Youtube extensions
|
// Youtube extensions
|
||||||
if ($try_oembed) {
|
if ($try_oembed) {
|
||||||
|
|
|
@ -290,7 +290,8 @@ class HTML
|
||||||
|
|
||||||
self::tagToBBCode($doc, 'video', ['src' => '/(.+)/'], '[video]$1', '[/video]', true);
|
self::tagToBBCode($doc, 'video', ['src' => '/(.+)/'], '[video]$1', '[/video]', true);
|
||||||
self::tagToBBCode($doc, 'audio', ['src' => '/(.+)/'], '[audio]$1', '[/audio]', true);
|
self::tagToBBCode($doc, 'audio', ['src' => '/(.+)/'], '[audio]$1', '[/audio]', true);
|
||||||
self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], '[iframe]$1', '[/iframe]', true);
|
// Backward compatibility, [iframe] support has been removed in version 2020.12
|
||||||
|
self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], '[url]$1', '[/url]', true);
|
||||||
|
|
||||||
self::tagToBBCode($doc, 'key', [], '[code]', '[/code]');
|
self::tagToBBCode($doc, 'key', [], '[code]', '[/code]');
|
||||||
self::tagToBBCode($doc, 'code', [], '[code]', '[/code]');
|
self::tagToBBCode($doc, 'code', [], '[code]', '[/code]');
|
||||||
|
@ -630,6 +631,7 @@ class HTML
|
||||||
self::tagToBBCode($doc, 'img', ['src' => '/(.+)/'], ' ', ' ');
|
self::tagToBBCode($doc, 'img', ['src' => '/(.+)/'], ' ', ' ');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Backward compatibility, [iframe] support has been removed in version 2020.12
|
||||||
self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], ' $1 ', '');
|
self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], ' $1 ', '');
|
||||||
|
|
||||||
$message = $doc->saveHTML();
|
$message = $doc->saveHTML();
|
||||||
|
|
Loading…
Reference in a new issue