Commit f778257c authored by Francois Marier's avatar Francois Marier Committed by Ruslan Kabalin
Browse files

Add ability to disable external resources through HTML Purifier



This is based on a patch by Greg Rogan.

Bug #714964

Change-Id: If2eb38b37f2ea74dd2c516b48b331009d7be2256
Signed-off-by: default avatarFrancois Marier <francois@catalyst.net.nz>
Reviewed-on: https://reviews.mahara.org/5

Reviewed-by: default avatarRuslan Kabalin <ruslan.kabalin@luns.net.uk>
parent be86adfb
......@@ -336,6 +336,14 @@ $siteoptionform = array(
'help' => true,
'disabled' => in_array('surbl', $OVERRIDDEN),
),
'disableexternalresources' => array(
'type' => 'checkbox',
'title' => get_string('disableexternalresources', 'admin'),
'description' => get_string('disableexternalresourcesdescription', 'admin'),
'defaultvalue' => get_config('disableexternalresources'),
'help' => true,
'disabled' => in_array('disableexternalresources', $OVERRIDDEN),
),
),
),
# TODO: this should become "Network Settings" at some point
......@@ -469,7 +477,7 @@ function siteoptions_submit(Pieform $form, $values) {
'registration_sendweeklyupdates', 'institutionexpirynotification', 'institutionautosuspend',
'showselfsearchsideblock', 'searchusernames', 'showtagssideblock',
'tagssideblockmaxtags', 'country', 'viewmicroheaders', 'userscanchooseviewthemes',
'remoteavatars', 'userscanhiderealnames', 'antispam', 'spamhaus', 'surbl', 'anonymouscomments',
'remoteavatars', 'userscanhiderealnames', 'antispam', 'spamhaus', 'surbl', 'anonymouscomments', 'disableexternalresources',
'proxyaddress', 'proxyauthmodel', 'proxyauthcredentials',
'homepageinfo', 'showonlineuserssideblock', 'registerterms', 'allowmobileuploads',
'creategroups', 'createpublicgroups', 'allowgroupcategories',
......
......@@ -269,6 +269,8 @@ $string['spamhaus'] = 'Enable Spamhaus URL blacklist';
$string['spamhausdescription'] = 'If enabled, URLs will be checked against the Spamhaus DNSBL';
$string['surbl'] = 'Enable SURBL URL blacklist';
$string['surbldescription'] = 'If enabled, URLs will be checked against the SURBL DNSBL';
$string['disableexternalresources'] = 'Disable external resources in user HTML';
$string['disableexternalresourcesdescription'] = 'Disables the embedding of external resources, preventing users from embedding things like images from other hosts';
$string['tagssideblockmaxtags'] = 'Maximum Tags in Cloud';
$string['tagssideblockmaxtagsdescription'] = 'The default number of tags to display in user tag clouds';
$string['trustedsites'] = 'Trusted sites';
......
<h3>Disable external resources in user HTML</h3>
<p>Turning this on will prevent users from embedding images from remote sites
into their forum posts and other HTML content.</p>
<p>It is however a good thing to do from a security standpoint since it does
neutralise a few clever phishing attacks.</p>
<p>See the <a href="http://htmlpurifier.org/live/configdoc/plain.html#URI.DisableExternalResources">HTML Purifier documentation</a> for more details.</p>
......@@ -2544,6 +2544,10 @@ function clean_html($text, $xhtml=false) {
}
$config->set('AutoFormat.Linkify', true);
if (get_config('disableexternalresources')) {
$config->set('URI.DisableExternalResources', true);
}
// Permit embedding contents from other sites
$config->set('HTML.SafeEmbed', true);
$config->set('HTML.SafeObject', true);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment