Commit 7c8f804f authored by Aaron Wells's avatar Aaron Wells Committed by Robert Lyon
Browse files

Prevent HTTP iframes on an HTTPS site

Bug 1463629

Change-Id: I99f4df8b5ce51a58db5f122f44717ae6d12a6d72
parent 6e7b1750
......@@ -61,7 +61,17 @@ class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter
return false;
// actually check the whitelists
return preg_match($this->regexp, $uri->toString());
if (!preg_match($this->regexp, $uri->toString())) {
return false;
// Make sure that if we're an HTTPS site, the iframe is also HTTPS
if (is_https() && $uri->scheme == 'http') {
// Convert it to a protocol-relative URL
$uri->scheme = null;
return $uri;
......@@ -10,3 +10,4 @@ content.
* Add the configuration directive Filter.ExtractStyleBlocks.PreserveCSS to allow the comments while cleaning CSS
* Altered SafeIframe.php so that an HTTPS site will rewrite HTTP iframes to protocol-relative
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment