From 8439efe77d7574756bd7f16a625cd33025dcc659 Mon Sep 17 00:00:00 2001 From: Mikael Nordfeldth Date: Sun, 15 Mar 2015 14:35:29 +0100 Subject: [PATCH] Filter out img, video and audio tags in notice HTML Because we don't want to auto-fetch items from a remote server. Such items should be delivered as attachment metadata and portrayed in the way the local instance chooses. Choices for portrayal are either simply nullifying this and embedding the data, linking the file remotely requiring a manual click or maybe use remote oEmbed data etc. to download files locally so no remote requests have to be made. --- lib/default.php | 5 +++++ lib/util.php | 18 ++++++++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/lib/default.php b/lib/default.php index e9382a86bc..c0d559e1cc 100644 --- a/lib/default.php +++ b/lib/default.php @@ -285,6 +285,11 @@ $default = array('handle' => false, // whether to handle sessions ourselves 'debug' => false, // debugging output for sessions 'gc_limit' => 1000), // max sessions to expire at a time + 'htmlfilter' => array( // purify HTML through htmLawed + 'img' => true, + 'video' => true, + 'audio' => true, + ), 'notice' => array('contentlimit' => null, 'defaultscope' => null, // null means 1 if site/private, 0 otherwise diff --git a/lib/util.php b/lib/util.php index f29507f846..14cfd96ee1 100644 --- a/lib/util.php +++ b/lib/util.php @@ -580,9 +580,18 @@ function common_purify($html) { require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php'; - $config = array('safe' => 1, + $config = array('safe' => 1, // means that elements=* means elements=*-applet-embed-iframe-object-script or so + 'elements' => '*', 'deny_attribute' => 'id,style,on*'); + // Remove more elements than what the 'safe' filter gives (elements must be '*' before this) + // http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6 + foreach (common_config('htmlfilter') as $tag=>$filter) { + if ($filter === true) { + $config['elements'] .= "-{$tag}"; + } + } + $html = common_remove_unicode_formatting($html); return htmLawed($html, $config); @@ -1929,9 +1938,14 @@ function common_negotiate_type($cprefs, $sprefs) return $besttype; } -function common_config($main, $sub) +function common_config($main, $sub=null) { global $config; + if (is_null($sub)) { + // Return the config category array + return array_key_exists($main, $config) ? $config[$main] : array(); + } + // Return the config value return (array_key_exists($main, $config) && array_key_exists($sub, $config[$main])) ? $config[$main][$sub] : false; } -- 2.39.5