Remove support for [iframe] BBCode

- It was a huge gaping security hole, and now HTML Purify will remove the src attribute of all non-allowed sources anyway.
This commit is contained in:
Hypolite Petovan 2020-12-18 01:16:35 -05:00
parent 13c7224789
commit ec0c9dcdb1
4 changed files with 5 additions and 14 deletions

View file

@ -502,10 +502,6 @@ You can embed video, audio and more in a message.
<td>[embed]URL[/embed]</td> <td>[embed]URL[/embed]</td>
<td>Embed OEmbed rich content.</td> <td>Embed OEmbed rich content.</td>
</tr> </tr>
<tr>
<td>[iframe]URL[/iframe]</td>
<td>General embed, iframe size is limited by the theme size for video players.</td>
</tr>
<tr> <tr>
<td>[url]*url*[/url]</td> <td>[url]*url*[/url]</td>
<td>If *url* supports oembed or opengraph specifications the embedded object will be shown (eg, documents from scribd). <td>If *url* supports oembed or opengraph specifications the embedded object will be shown (eg, documents from scribd).

View file

@ -482,10 +482,6 @@ Du kannst Videos, Musikdateien und weitere Dinge in Beitr&auml;gen einbinden.
<td>[embed]URL[/embed]</td> <td>[embed]URL[/embed]</td>
<td>OEmbed rich content einbetten.</td> <td>OEmbed rich content einbetten.</td>
</tr> </tr>
<tr>
<td>[iframe]URL[/iframe]</td>
<td>General embed, iframe size is limited by the theme size for video players.</td>
</tr>
<tr> <tr>
<td>[url]*url*[/url]</td> <td>[url]*url*[/url]</td>
<td>Wenn *url* die OEmbed- oder Opengraph-Spezifikationen unterst&uuml;tzt, wird das Objekt eingebettet (z.B. Dokumente von scribd). <td>Wenn *url* die OEmbed- oder Opengraph-Spezifikationen unterst&uuml;tzt, wird das Objekt eingebettet (z.B. Dokumente von scribd).

View file

@ -1622,11 +1622,8 @@ class BBCode
'<a href="$1" target="_blank" rel="noopener noreferrer">$1</a>', $text); '<a href="$1" target="_blank" rel="noopener noreferrer">$1</a>', $text);
} }
if ($try_oembed) { // Backward compatibility, [iframe] support has been removed in version 2020.12
$text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '<iframe src="$1" width="' . $a->videowidth . '" height="' . $a->videoheight . '"><a href="$1">$1</a></iframe>', $text); $text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '<a href="$1">$1</a>', $text);
} else {
$text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '<a href="$1">$1</a>', $text);
}
// Youtube extensions // Youtube extensions
if ($try_oembed) { if ($try_oembed) {

View file

@ -290,7 +290,8 @@ class HTML
self::tagToBBCode($doc, 'video', ['src' => '/(.+)/'], '[video]$1', '[/video]', true); self::tagToBBCode($doc, 'video', ['src' => '/(.+)/'], '[video]$1', '[/video]', true);
self::tagToBBCode($doc, 'audio', ['src' => '/(.+)/'], '[audio]$1', '[/audio]', true); self::tagToBBCode($doc, 'audio', ['src' => '/(.+)/'], '[audio]$1', '[/audio]', true);
self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], '[iframe]$1', '[/iframe]', true); // Backward compatibility, [iframe] support has been removed in version 2020.12
self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], '[url]$1', '[/url]', true);
self::tagToBBCode($doc, 'key', [], '[code]', '[/code]'); self::tagToBBCode($doc, 'key', [], '[code]', '[/code]');
self::tagToBBCode($doc, 'code', [], '[code]', '[/code]'); self::tagToBBCode($doc, 'code', [], '[code]', '[/code]');
@ -630,6 +631,7 @@ class HTML
self::tagToBBCode($doc, 'img', ['src' => '/(.+)/'], ' ', ' '); self::tagToBBCode($doc, 'img', ['src' => '/(.+)/'], ' ', ' ');
} }
// Backward compatibility, [iframe] support has been removed in version 2020.12
self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], ' $1 ', ''); self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], ' $1 ', '');
$message = $doc->saveHTML(); $message = $doc->saveHTML();