tobias/friendica
1
0
Fork 0
Code Pull requests Activity

Merge pull request #9915 from MrPetovan/bug/9895-twitter-oembed

Browse source 
Harden OEmbed link discovery
This commit is contained in:
Tobias Diekershoff 2021-02-10 11:31:42 +01:00 committed by GitHub
parent 4c6877c1f9 4a57ed1a31
commit fddac41f00
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

34
src/Content/OEmbed.php
View file

@ -98,21 +98,23 @@ class OEmbed
// try oembed autodiscovery // try oembed autodiscovery
$html_text = DI::httpRequest()->fetch($embedurl, 15, 'text/*'); $html_text = DI::httpRequest()->fetch($embedurl, 15, 'text/*');
if ($html_text) { if ($html_text) {
$dom = @DOMDocument::loadHTML($html_text); $dom = new DOMDocument();
if ($dom) { if ($dom->loadHTML($html_text)) {
$xpath = new DOMXPath($dom); $xpath = new DOMXPath($dom);
$entries = $xpath->query("//link[@type='application/json+oembed']"); foreach (
foreach ($entries as $e) { $xpath->query("//link[@type='application/json+oembed'] | //link[@type='text/json+oembed']")
$href = $e->getAttributeNode('href')->nodeValue; as $link)
$json_string = DI::httpRequest()->fetch($href . '&maxwidth=' . $a->videowidth); {
break; $href = $link->getAttributeNode('href')->nodeValue;
} // Both Youtube and Vimeo output OEmbed endpoint URL with HTTP
// but their OEmbed endpoint is only accessible by HTTPS ¯\_(ツ)_/¯
$entries = $xpath->query("//link[@type='text/json+oembed']"); $href = str_replace(['http://www.youtube.com/', 'http://player.vimeo.com/'],
foreach ($entries as $e) { ['https://www.youtube.com/', 'https://player.vimeo.com/'], $href);
$href = $e->getAttributeNode('href')->nodeValue; $result = DI::httpRequest()->fetchFull($href . '&maxwidth=' . $a->videowidth);
$json_string = DI::httpRequest()->fetch($href . '&maxwidth=' . $a->videowidth); if ($result->getReturnCode() === 200) {
break; $json_string = $result->getBody();
break;
}
} }
} }
} }
@ -337,10 +339,6 @@ class OEmbed
public static function getHTML($url, $title = null) public static function getHTML($url, $title = null)
{ {
// Always embed the SSL version
$url = str_replace(["http://www.youtube.com/", "http://player.vimeo.com/"],
["https://www.youtube.com/", "https://player.vimeo.com/"], $url);
$o = self::fetchURL($url, !self::isAllowedURL($url)); $o = self::fetchURL($url, !self::isAllowedURL($url));
if (!is_object($o) || property_exists($o, 'type') && $o->type == 'error') { if (!is_object($o) || property_exists($o, 'type') && $o->type == 'error') {