\r
use Friendica\Core\Cache;\r
use Friendica\Core\System;\r
-use Friendica\ParseUrl;\r
use Friendica\Core\Config;\r
use Friendica\Database\DBM;\r
+use Friendica\ParseUrl;\r
use dba;\r
use DOMDocument;\r
use DOMXPath;\r
break;\r
case "rich":\r
// not so safe..\r
- if (!Config::get("system", "no_oembed_rich_content")) {\r
- $ret.= proxy_parse_html($jhtml);\r
+ if (self::isAllowedURL($embedurl)) {\r
+ $ret .= proxy_parse_html($jhtml);\r
}\r
break;\r
}\r
}\r
$width = '100%';\r
\r
- $s = System::baseUrl() . '/oembed/' . base64url_encode($src);\r
+ // Only proxy OEmbed URLs to avoid mixed-content errors\r
+ if (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL && parse_url($src, PHP_URL_SCHEME) !== 'https') {\r
+ $src = System::baseUrl() . '/oembed/' . base64url_encode($src);\r
+ }\r
return '<iframe onload="resizeIframe(this);" class="embed_rich" height="' . $height . '" width="' . $width . '" src="' . $s . '" allowfullscreen scrolling="no" frameborder="no">' . t('Embedded content') . '</iframe>';\r
}\r
\r
}\r
return $innerHTML;\r
}\r
+\r
+ /**\r
+ * Determines if rich content OEmbed is allowed for the provided URL\r
+ *\r
+ * @brief Determines if rich content OEmbed is allowed for the provided URL\r
+ * @param string $url\r
+ * @return boolean\r
+ */\r
+ private static function isAllowedURL($url)\r
+ {\r
+ if (!Config::get('system', 'no_oembed_rich_content')) {\r
+ return true;\r
+ }\r
+\r
+ $domain = parse_url($url, PHP_URL_HOST);\r
+\r
+ $str_allowed = Config::get('system', 'allowed_oembed', '');\r
+ $allowed = explode(',', $str_allowed);\r
+\r
+ return allowed_domain($domain, $allowed, true);\r
+ }\r
}\r