Use system.allowed_oembed config to allow iframe source

diff --git a/src/Content/Text/BBCode.php b/src/Content/Text/BBCode.php
index c6095cd4194ec4fad6f5e8d1de0e253c13db8df6..6101f5479c5c9b0315689371f7d7c7be1cd34419 100644 (file)
--- a/src/Content/Text/BBCode.php
+++ b/src/Content/Text/BBCode.php
@@ -1884,6 +1884,13 @@ class BBCode
                        'player.vimeo.com/video/',
                ];
 
+               $allowedIframeDomains = array_merge(
+                       $allowedIframeDomains,
+                       DI::config()->get('system', 'allowed_oembed') ?
+                               explode(',', DI::config()->get('system', 'allowed_oembed'))
+                               : []
+               );
+
                $text = HTML::purify($text, $allowedIframeDomains);
 
                return $text;

diff --git a/src/Module/Admin/Site.php b/src/Module/Admin/Site.php
index 8cd2648cf6d559f0ee86fd179ec9b33ac93c2923..dff2a1076c017d615815d8d839a0a0a3a882a910 100644 (file)
--- a/src/Module/Admin/Site.php
+++ b/src/Module/Admin/Site.php
@@ -624,7 +624,7 @@ class Site extends BaseAdmin
                        '$allowed_sites'          => ['allowed_sites', DI::l10n()->t('Allowed friend domains'), DI::config()->get('system', 'allowed_sites'), DI::l10n()->t('Comma separated list of domains which are allowed to establish friendships with this site. Wildcards are accepted. Empty to allow any domains')],
                        '$allowed_email'          => ['allowed_email', DI::l10n()->t('Allowed email domains'), DI::config()->get('system', 'allowed_email'), DI::l10n()->t('Comma separated list of domains which are allowed in email addresses for registrations to this site. Wildcards are accepted. Empty to allow any domains')],
                        '$no_oembed_rich_content' => ['no_oembed_rich_content', DI::l10n()->t('No OEmbed rich content'), DI::config()->get('system', 'no_oembed_rich_content'), DI::l10n()->t('Don\'t show the rich content (e.g. embedded PDF), except from the domains listed below.')],
-                       '$allowed_oembed'         => ['allowed_oembed', DI::l10n()->t('Allowed OEmbed domains'), DI::config()->get('system', 'allowed_oembed'), DI::l10n()->t('Comma separated list of domains which oembed content is allowed to be displayed. Wildcards are accepted.')],
+                       '$allowed_oembed'         => ['allowed_oembed', DI::l10n()->t('Trusted third-party domains'), DI::config()->get('system', 'allowed_oembed'), DI::l10n()->t('Comma separated list of domains from which content is allowed to be embedded in posts like with OEmbed. All sub-domains of the listed domains are allowed as well.')],
                        '$block_public'           => ['block_public', DI::l10n()->t('Block public'), DI::config()->get('system', 'block_public'), DI::l10n()->t('Check to block public access to all otherwise public personal pages on this site unless you are currently logged in.')],
                        '$force_publish'          => ['publish_all', DI::l10n()->t('Force publish'), DI::config()->get('system', 'publish_all'), DI::l10n()->t('Check to force all profiles on this site to be listed in the site directory.') . '<strong>' . DI::l10n()->t('Enabling this may violate privacy laws like the GDPR') . '</strong>'],
                        '$global_directory'       => ['directory', DI::l10n()->t('Global directory URL'), DI::config()->get('system', 'directory'), DI::l10n()->t('URL to the global directory. If this is not set, the global directory is completely unavailable to the application.')],