Commit efe94997 authored by Aaron Wells's avatar Aaron Wells
Browse files

Prevent HTTP iframes on an HTTPS site

Bug 1463629

Change-Id: I99f4df8b5ce51a58db5f122f44717ae6d12a6d72
parent e62fc897
......@@ -61,7 +61,17 @@ class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter
return false;
}
// actually check the whitelists
return preg_match($this->regexp, $uri->toString());
if (!preg_match($this->regexp, $uri->toString())) {
return false;
}
// Make sure that if we're an HTTPS site, the iframe is also HTTPS
if (is_https() && $uri->scheme == 'http') {
// Convert it to a protocol-relative URL
$uri->scheme = null;
}
return $uri;
}
}
......
......@@ -11,4 +11,4 @@ Changes:
* Add the configuration directive Filter.ExtractStyleBlocks.PreserveCSS to allow the comments while cleaning CSS
* Add more legal color formats such as rgba, hsl, and hsla
* Altered SafeIframe.php so that an HTTPS site will rewrite HTTP iframes to protocol-relative
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment