use iframe for oembed - untrusted content

diff --git a/include/bbcode.php b/include/bbcode.php
index a8c66d30fd31daf6184a71ac8f4c0f7cba62f66d..e20b2478d3012927a491f47b465a21ee2c2d5a0f 100644 (file)
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -19,8 +19,7 @@ function tryoembed($match){
        if ($o->type=="error") return $match[0];
        
        $html = oembed_format_object($o);
-       
-       return $html;
+       return oembed_iframe($html,$o->width,$o->height);
        
 }
 

diff --git a/include/oembed.php b/include/oembed.php
index 924e61289ed5ac787f571c3534e9ab7490a5603c..71b62b839dc876224db754acd72e01605bd446d4 100644 (file)
--- a/include/oembed.php
+++ b/include/oembed.php
@@ -1,8 +1,12 @@
 <?php
 function oembed_replacecb($matches){
+       logger('oembedcb');
        $embedurl=$matches[1];
        $j = oembed_fetch_url($embedurl);
-       return oembed_format_object($j);
+       $s =  oembed_format_object($j);
+       return oembed_iframe($s,$j->width,$j->height);
+
+
 }
 
 
@@ -102,6 +106,23 @@ function oembed_format_object($j){
        return  mb_convert_encoding($ret, 'HTML-ENTITIES', mb_detect_encoding($ret));
 }
 
+function oembed_iframe($src,$width,$height) {
+
+       if(! $width || strstr($width,'%'))
+               $width = '640';
+       if(! $height || strstr($height,'%'))
+               $height = '300';
+       // try and leave some room for the description line. 
+       $height = intval($height) + 80;
+       $width  = intval($width) + 40;
+
+       $s = 'data:text/html;base64,' . base64_encode('<html><body>' . $src . '</body></html>');
+       return '<iframe height="' . $height . '" width="' . $width . '" src="' . $s . '" frameborder="no" >' . t('Embedded content') . '</iframe>'; 
+
+}
+
+
+
 function oembed_bbcode2html($text){
        $stopoembed = get_config("system","no_oembed");
        if ($stopoembed == true){