Commit 7a7f066d authored by Aaron Wells's avatar Aaron Wells Committed by Robert Lyon

Prevent HTTP iframes on an HTTPS site

Bug 1463629

Change-Id: I99f4df8b5ce51a58db5f122f44717ae6d12a6d72
parent 1be3956b
......@@ -61,7 +61,17 @@ class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter
return false;
}
// actually check the whitelists
return preg_match($this->regexp, $uri->toString());
if (!preg_match($this->regexp, $uri->toString())) {
return false;
}
// Make sure that if we're an HTTPS site, the iframe is also HTTPS
if (is_https() && $uri->scheme == 'http') {
// Convert it to a protocol-relative URL
$uri->scheme = null;
}
return $uri;
}
}
......
......@@ -9,4 +9,5 @@ content.
Changes:
* None
* Altered SafeIframe.php so that an HTTPS site will rewrite HTTP iframes to protocol-relative
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment