X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;f=src%2FObject%2FOEmbed.php;h=10204fd5227e5da0ade86ed8014271132997ca47;hb=0a4dc51bdc401f36a6eea73dc47846964d49bc00;hp=3eebcc22653d2b7c63aa983ad88ca231710a2c23;hpb=df917251ff1ba8fee277e208742c1bcc3b5d38a9;p=friendica.git

diff --git a/src/Object/OEmbed.php b/src/Object/OEmbed.php
index 3eebcc2265..10204fd522 100644
--- a/src/Object/OEmbed.php
+++ b/src/Object/OEmbed.php
@@ -1,4 +1,23 @@
 <?php
+/**
+ * @copyright Copyright (C) 2010-2021, the Friendica project
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <https://www.gnu.org/licenses/>.
+ *
+ */
 
 namespace Friendica\Object;
 
@@ -7,7 +26,7 @@ namespace Friendica\Object;
  *
  * @see https://oembed.com/#section2.3
  *
- * @author Hypolite Petovan <mrpetovan@gmail.com>
+ * @author Hypolite Petovan <hypolite@mrpetovan.com>
  */
 class OEmbed
 {
@@ -42,6 +61,19 @@ class OEmbed
 		}
 
 		foreach ($properties as $key => $value) {
+			if (in_array($key, ['thumbnail_width', 'thumbnail_height', 'width', 'height'])) {
+				// These values should be numbers, so ensure that they really are numbers.
+				$value = (int)$value;
+			} elseif (is_array($value)) {
+				// Ignoring arrays.
+			} elseif ($key != 'html') {
+				// Avoid being able to inject some ugly stuff through these fields.
+				$value = htmlentities($value);
+			} else {
+				/// @todo Add a way to sanitize the html as well, possibly with an <iframe>?
+				$value = mb_convert_encoding($value, 'HTML-ENTITIES', mb_detect_encoding($value));
+			}
+
 			if (property_exists(__CLASS__, $key)) {
 				$this->{$key} = $value;
 			}