Commit 8439efe7 authored by mmn's avatar mmn

Filter out img, video and audio tags in notice HTML

Because we don't want to auto-fetch items from a remote server. Such
items should be delivered as attachment metadata and portrayed in the
way the local instance chooses.

Choices for portrayal are either simply nullifying this and embedding
the data, linking the file remotely requiring a manual click or maybe
use remote oEmbed data etc. to download files locally so no remote
requests have to be made.
parent a1098fa1
......@@ -285,6 +285,11 @@ $default =
array('handle' => false, // whether to handle sessions ourselves
'debug' => false, // debugging output for sessions
'gc_limit' => 1000), // max sessions to expire at a time
'htmlfilter' => array( // purify HTML through htmLawed
'img' => true,
'video' => true,
'audio' => true,
),
'notice' =>
array('contentlimit' => null,
'defaultscope' => null, // null means 1 if site/private, 0 otherwise
......
......@@ -580,9 +580,18 @@ function common_purify($html)
{
require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
$config = array('safe' => 1,
$config = array('safe' => 1, // means that elements=* means elements=*-applet-embed-iframe-object-script or so
'elements' => '*',
'deny_attribute' => 'id,style,on*');
// Remove more elements than what the 'safe' filter gives (elements must be '*' before this)
// http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed/htmLawed_README.htm#s3.6
foreach (common_config('htmlfilter') as $tag=>$filter) {
if ($filter === true) {
$config['elements'] .= "-{$tag}";
}
}
$html = common_remove_unicode_formatting($html);
return htmLawed($html, $config);
......@@ -1929,9 +1938,14 @@ function common_negotiate_type($cprefs, $sprefs)
return $besttype;
}
function common_config($main, $sub)
function common_config($main, $sub=null)
{
global $config;
if (is_null($sub)) {
// Return the config category array
return array_key_exists($main, $config) ? $config[$main] : array();
}
// Return the config value
return (array_key_exists($main, $config) &&
array_key_exists($sub, $config[$main])) ? $config[$main][$sub] : false;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment