Because we don't want to auto-fetch items from a remote server. Such
items should be delivered as attachment metadata and portrayed in the
way the local instance chooses.
Choices for portrayal are either simply nullifying this and embedding
the data, linking the file remotely requiring a manual click or maybe
use remote oEmbed data etc. to download files locally so no remote
requests have to be made.
array('handle' => false, // whether to handle sessions ourselves
'debug' => false, // debugging output for sessions
'gc_limit' => 1000), // max sessions to expire at a time
array('handle' => false, // whether to handle sessions ourselves
'debug' => false, // debugging output for sessions
'gc_limit' => 1000), // max sessions to expire at a time
+ 'htmlfilter' => array( // purify HTML through htmLawed
+ 'img' => true,
+ 'video' => true,
+ 'audio' => true,
+ ),
'notice' =>
array('contentlimit' => null,
'defaultscope' => null, // null means 1 if site/private, 0 otherwise
'notice' =>
array('contentlimit' => null,
'defaultscope' => null, // null means 1 if site/private, 0 otherwise
{
require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
{
require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
- $config = array('safe' => 1,
+ $config = array('safe' => 1, // means that elements=* means elements=*-applet-embed-iframe-object-script or so
+ 'elements' => '*',
'deny_attribute' => 'id,style,on*');
'deny_attribute' => 'id,style,on*');
+ // Remove more elements than what the 'safe' filter gives (elements must be '*' before this)
+ // http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6
+ foreach (common_config('htmlfilter') as $tag=>$filter) {
+ if ($filter === true) {
+ $config['elements'] .= "-{$tag}";
+ }
+ }
+
$html = common_remove_unicode_formatting($html);
return htmLawed($html, $config);
$html = common_remove_unicode_formatting($html);
return htmLawed($html, $config);
-function common_config($main, $sub)
+function common_config($main, $sub=null)
+ if (is_null($sub)) {
+ // Return the config category array
+ return array_key_exists($main, $config) ? $config[$main] : array();
+ }
+ // Return the config value
return (array_key_exists($main, $config) &&
array_key_exists($sub, $config[$main])) ? $config[$main][$sub] : false;
}
return (array_key_exists($main, $config) &&
array_key_exists($sub, $config[$main])) ? $config[$main][$sub] : false;
}