Sanitize the OEmbed data before processing it

diff --git a/src/Content/OEmbed.php b/src/Content/OEmbed.php
index c77db3827f6faf873447cb6d601a42ba018292f9..c37e36f6073c05d5560c4b1b1c44286deedffed7 100644 (file)
--- a/src/Content/OEmbed.php
+++ b/src/Content/OEmbed.php
@@ -247,8 +247,7 @@ class OEmbed
 
                $ret .= '</div>';
 
-               $ret = str_replace("\n", "", $ret);
-               return mb_convert_encoding($ret, 'HTML-ENTITIES', mb_detect_encoding($ret));
+               return str_replace("\n", "", $ret);
        }
 
        public static function BBCode2HTML($text)

diff --git a/src/Object/OEmbed.php b/src/Object/OEmbed.php
index 20f27ae0bf12dea38e948e06dd8fe7fc6930f73e..bd336f7583fb6c994da174bfe7b9584ed8ddcd49 100644 (file)
--- a/src/Object/OEmbed.php
+++ b/src/Object/OEmbed.php
@@ -42,6 +42,17 @@ class OEmbed
                }
 
                foreach ($properties as $key => $value) {
+                       if (in_array($key, ['thumbnail_width', 'thumbnail_height', 'width', 'height'])) {
+                               // These values should be numbers, so ensure that they really are numbers.
+                               $value = (int)$value;
+                       } elseif ($key != 'html') {
+                               // Avoid being able to inject some ugly stuff through these fields.
+                               $value = htmlentities($value);
+                       } else {
+                               /// @todo Add a way to sanitize the html as well, possibly with an <iframe>?
+                               $value = mb_convert_encoding($value, 'HTML-ENTITIES', mb_detect_encoding($value));
+                       }
+
                        if (property_exists(__CLASS__, $key)) {
                                $this->{$key} = $value;
                        }