Commit a7e74fe9 authored by Richard Mansfield's avatar Richard Mansfield
Browse files

Fix overly permissive SafeIframeRegexp in htmlpurifier (bug #922360)



Dots in the list of safe iframe sources are not escaped before use in
the regular expression passed to htmlpurifier, but they should be
because of their special meaning inside patterns.  This will prevent
people from registering domains like 'www-youtube.com' and
'playerxvimeo.com' and embedding iframes from those sites in their
pages.

Change-Id: I94ceedd77172cbb6650efad0ab7edfae92f5f7e8
Signed-off-by: default avatarRichard Mansfield <richard.mansfield@catalyst.net.nz>
parent 9cef0735
......@@ -2729,11 +2729,12 @@ function clean_html($text, $xhtml=false) {
}
// Permit embedding contents from other sites
$safeiframesources = array('www.youtube.com/embed/',
'player.vimeo.com/video/',
'www.slideshare.net/slideshow/embed_code/',
'(www|edu).glogster.com/glog(/|.php)',
'wikieducator.org/index.php',
// List of pattern fragments for the URI.SafeIframeRegexp below
$safeiframesources = array('www\.youtube\.com/embed/',
'player\.vimeo\.com/video/',
'www\.slideshare\.net/slideshow/embed_code/',
'(www|edu)\.glogster\.com/glog(/|\.php)',
'wikieducator\.org/index\.php',
);
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment