X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=include%2Fbbcode.php;h=489ef8b2e38e0b7680a701538dad49533305663e;hb=0060e2449e4f225436964a8203b706ddd3e0d01f;hp=74dde2fdf431ee0f488ab11804a1698058719255;hpb=4d591c4a074a11bb27f5fe0981a13125d4ef2e02;p=friendica.git

diff --git a/include/bbcode.php b/include/bbcode.php
index 74dde2fdf4..489ef8b2e3 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -1163,8 +1163,10 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true, $simplehtml = fal
 	// fix any escaped ampersands that may have been converted into links
 	$Text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism', '<$1$2=$3&$4>', $Text);
 
-	// sanitizes src attributes (only relative redir URIs or http URLs)
-	$Text = preg_replace('#<([^>]*?)(src)="(?!http|redir)(.*?)"(.*?)>#ism', '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text);
+	// sanitizes src attributes (http and redir URLs for displaying in a web page, cid used for inline images in emails)
+	static $allowed_src_protocols = array('http', 'redir', 'cid');
+	$Text = preg_replace('#<([^>]*?)(src)="(?!' . implode('|', $allowed_src_protocols) . ')(.*?)"(.*?)>#ism',
+			     '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text);
 
 	// sanitize href attributes (only whitelisted protocols URLs)
 	// default value for backward compatibility