Filter out img, video and audio tags in notice HTML

Because we don't want to auto-fetch items from a remote server. Such
items should be delivered as attachment metadata and portrayed in the
way the local instance chooses.

Choices for portrayal are either simply nullifying this and embedding
the data, linking the file remotely requiring a manual click or maybe
use remote oEmbed data etc. to download files locally so no remote
requests have to be made.

diff --git a/lib/default.php b/lib/default.php
index e9382a86bcd0900409c3d9eaa3ef21a1b945d46e..c0d559e1cc27dcba88d396bba939a7abbe3fa559 100644 (file)
--- a/lib/default.php
+++ b/lib/default.php
@@ -285,6 +285,11 @@ $default =
         array('handle' => false,   // whether to handle sessions ourselves
               'debug' => false,    // debugging output for sessions
               'gc_limit' => 1000), // max sessions to expire at a time
+        'htmlfilter' => array(  // purify HTML through htmLawed
+            'img' => true,
+            'video' => true,
+            'audio' => true,
+        ),
         'notice' =>
         array('contentlimit' => null,
               'defaultscope' => null, // null means 1 if site/private, 0 otherwise

diff --git a/lib/util.php b/lib/util.php
index f29507f8465bbe7e2b9fb85109a00f0a01cc096c..14cfd96ee135bba06c64f279c7c9717c89555355 100644 (file)
--- a/lib/util.php
+++ b/lib/util.php
@@ -580,9 +580,18 @@ function common_purify($html)
 {
     require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
 
-    $config = array('safe' => 1,
+    $config = array('safe' => 1,    // means that elements=* means elements=*-applet-embed-iframe-object-script or so
+                    'elements' => '*',
                     'deny_attribute' => 'id,style,on*');
 
+    // Remove more elements than what the 'safe' filter gives (elements must be '*' before this)
+    // http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6
+    foreach (common_config('htmlfilter') as $tag=>$filter) {
+        if ($filter === true) {
+            $config['elements'] .= "-{$tag}";
+        }
+    }
+
     $html = common_remove_unicode_formatting($html);
 
     return htmLawed($html, $config);
@@ -1929,9 +1938,14 @@ function common_negotiate_type($cprefs, $sprefs)
     return $besttype;
 }
 
-function common_config($main, $sub)
+function common_config($main, $sub=null)
 {
     global $config;
+    if (is_null($sub)) {
+        // Return the config category array
+        return array_key_exists($main, $config) ? $config[$main] : array();
+    }
+    // Return the config value
     return (array_key_exists($main, $config) &&
             array_key_exists($sub, $config[$main])) ? $config[$main][$sub] : false;
 }