Bug 1759367: Cherry-pick for Prevent HTTP iframes on an HTTPS site

Cherry pick of Bug 1463629 for the upgrade of html purifier to 4.10.0 behatnotneeded Change-Id: I0c89f64f567d55b8a9ffd3772bdc23563103a93d

Bug 1759367: Cherry-pick for Prevent HTTP iframes on an HTTPS site
Cherry pick of Bug 1463629 for the upgrade of html purifier to 4.10.0 behatnotneeded Change-Id: I0c89f64f567d55b8a9ffd3772bdc23563103a93d
7175f91e · Aaron Wells · Cecilia Vela Gurovic · ca096756 · 7175f91e
Commit 7175f91e authored Jun 10, 2015 by Aaron Wells Committed by Cecilia Vela Gurovic Mar 28, 2018
--- a/htdocs/lib/htmlpurifier/HTMLPurifier/URIFilter/SafeIframe.php
+++ b/htdocs/lib/htmlpurifier/HTMLPurifier/URIFilter/SafeIframe.php
-<?php
-
-/**
- * Implements safety checks for safe iframes.
- *
- * @warning This filter is *critical* for ensuring that %HTML.SafeIframe
- * works safely.
- */
-class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter
-{
-    /**
-     * @type string
-     */
-    public $name = 'SafeIframe';
-
-    /**
-     * @type bool
-     */
-    public $always_load = true;
-
-    /**
-     * @type string
-     */
-    protected $regexp = null;
-
-    // XXX: The not so good bit about how this is all set up now is we
-    // can't check HTML.SafeIframe in the 'prepare' step: we have to
-    // defer till the actual filtering.
-    /**
-     * @param HTMLPurifier_Config $config
-     * @return bool
-     */
-    public function prepare($config)
-    {
-        $this->regexp = $config->get('URI.SafeIframeRegexp');
-        return true;
-    }
-
-    /**
-     * @param HTMLPurifier_URI $uri
-     * @param HTMLPurifier_Config $config
-     * @param HTMLPurifier_Context $context
-     * @return bool
-     */
-    public function filter(&$uri, $config, $context)
-    {
-        // check if filter not applicable
-        if (!$config->get('HTML.SafeIframe')) {
-            return true;
-        }
-        // check if the filter should actually trigger
-        if (!$context->get('EmbeddedURI', true)) {
-            return true;
-        }
-        $token = $context->get('CurrentToken', true);
-        if (!($token && $token->name == 'iframe')) {
-            return true;
-        }
-        // check if we actually have some whitelists enabled
-        if ($this->regexp === null) {
-            return false;
-        }
-        // actually check the whitelists
-        return preg_match($this->regexp, $uri->toString());
-    }
-}
-
-// vim: et sw=4 sts=4
+<?php
+
+/**
+ * Implements safety checks for safe iframes.
+ *
+ * @warning This filter is *critical* for ensuring that %HTML.SafeIframe
+ * works safely.
+ */
+class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter
+{
+    /**
+     * @type string
+     */
+    public $name = 'SafeIframe';
+
+    /**
+     * @type bool
+     */
+    public $always_load = true;
+
+    /**
+     * @type string
+     */
+    protected $regexp = null;
+
+    // XXX: The not so good bit about how this is all set up now is we
+    // can't check HTML.SafeIframe in the 'prepare' step: we have to
+    // defer till the actual filtering.
+    /**
+     * @param HTMLPurifier_Config $config
+     * @return bool
+     */
+    public function prepare($config)
+    {
+        $this->regexp = $config->get('URI.SafeIframeRegexp');
+        return true;
+    }
+
+    /**
+     * @param HTMLPurifier_URI $uri
+     * @param HTMLPurifier_Config $config
+     * @param HTMLPurifier_Context $context
+     * @return bool
+     */
+    public function filter(&$uri, $config, $context)
+    {
+        // check if filter not applicable
+        if (!$config->get('HTML.SafeIframe')) {
+            return true;
+        }
+        // check if the filter should actually trigger
+        if (!$context->get('EmbeddedURI', true)) {
+            return true;
+        }
+        $token = $context->get('CurrentToken', true);
+        if (!($token && $token->name == 'iframe')) {
+            return true;
+        }
+        // check if we actually have some whitelists enabled
+        if ($this->regexp === null) {
+            return false;
+        }
+        // actually check the whitelists
+        if (!preg_match($this->regexp, $uri->toString())) {
+            return false;
+        }
+
+        // Make sure that if we're an HTTPS site, the iframe is also HTTPS
+        if (is_https() && $uri->scheme == 'http') {
+            // Convert it to a protocol-relative URL
+            $uri->scheme = null;
+        }
+
+        return $uri;
+    }
+}
+
+// vim: et sw=4 sts=4