Merge pull request #4179 from MrPetovan/bug/4173-fix-oembed-iframe-url

Fix OEmbed iframe
This commit is contained in:
Michael Vogel 2018-01-07 09:28:44 +01:00 committed by GitHub
commit 1fdde9b140
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 108 additions and 86 deletions

View File

@ -40,8 +40,19 @@ function bb_map_location($match) {
return str_replace($match[0], '<div class="map" >' . Map::byLocation($match[1]) . '</div>', $match[0]);
}
function bb_attachment($Text, $simplehtml = false, $tryoembed = true) {
/**
* Processes [attachment] tags
*
* Note: Can produce a [bookmark] tag in the returned string
*
* @brief Processes [attachment] tags
* @param string $Text
* @param bool|int $simplehtml
* @param bool $tryoembed
* @return string
*/
function bb_attachment($Text, $simplehtml = false, $tryoembed = true)
{
$data = get_attachment_data($Text);
if (!$data) {
return $Text;
@ -52,10 +63,7 @@ function bb_attachment($Text, $simplehtml = false, $tryoembed = true) {
$data["title"] = str_replace(array("http://", "https://"), "", $data["title"]);
}
if (((strpos($data["text"], "[img=") !== false)
|| (strpos($data["text"], "[img]") !== false)
|| Config::get('system', 'always_show_preview'))
&& ($data["image"] != "")) {
if (((strpos($data["text"], "[img=") !== false) || (strpos($data["text"], "[img]") !== false) || Config::get('system', 'always_show_preview')) && ($data["image"] != "")) {
$data["preview"] = $data["image"];
$data["image"] = "";
}
@ -69,14 +77,16 @@ function bb_attachment($Text, $simplehtml = false, $tryoembed = true) {
$text = sprintf('<span class="type-%s">', $data["type"]);
}
$bookmark = array(sprintf('[bookmark=%s]%s[/bookmark]', $data["url"], $data["title"]), $data["url"], $data["title"]);
$oembed = sprintf('[bookmark=%s]%s[/bookmark]', $data['url'], $data['title']);
if ($tryoembed) {
$oembed = tryoembed($bookmark);
} else {
$oembed = $bookmark[0];
try {
$oembed = OEmbed::getHTML($data['url'], $data['title']);
} catch (Exception $e) {
// $oembed isn't modified
}
}
if (strstr(strtolower($oembed), "<iframe ")) {
if (stripos($oembed, "<iframe ") !== false) {
$text = $oembed;
} else {
if (($data["image"] != "") && !strstr(strtolower($oembed), "<img ")) {
@ -100,7 +110,7 @@ function bb_attachment($Text, $simplehtml = false, $tryoembed = true) {
$text .= '</span>';
}
}
return trim($data["text"].' '.$text.' '.$data["after"]);
return trim($data["text"] . ' ' . $text . ' ' . $data["after"]);
}
function bb_remove_share_information($Text, $plaintext = false, $nolink = false) {
@ -223,32 +233,6 @@ function stripcode_br_cb($s) {
return '[code]' . str_replace('<br />', '', $s[1]) . '[/code]';
}
function tryoembed($match) {
$url = $match[1];
// Always embed the SSL version
$url = str_replace(array("http://www.youtube.com/", "http://player.vimeo.com/"),
array("https://www.youtube.com/", "https://player.vimeo.com/"), $url);
$o = OEmbed::fetchURL($url);
if (!is_object($o)) {
return $match[0];
}
if (isset($match[2])) {
$o->title = $match[2];
}
if ($o->type == "error") {
return $match[0];
}
$html = OEmbed::formatObject($o);
return $html;
}
/*
* [noparse][i]italic[/i][/noparse] turns into
* [noparse][ i ]italic[ /i ][/noparse],
@ -432,6 +416,16 @@ function bb_replace_images($body, $images) {
return $newbody;
}
/**
* Processes [share] tags
*
* Note: Can produce a [bookmark] tag in the output
*
* @brief Processes [share] tags
* @param array $share preg_match_callback result array
* @param bool|int $simplehtml
* @return string
*/
function bb_ShareAttributes($share, $simplehtml)
{
$attributes = $share[2];
@ -520,7 +514,6 @@ function bb_ShareAttributes($share, $simplehtml)
}
$preshare = trim($share[1]);
if ($preshare != "") {
$preshare .= "<br /><br />";
}
@ -541,7 +534,7 @@ function bb_ShareAttributes($share, $simplehtml)
$text .= "<hr />";
}
if (substr(normalise_link($link), 0, 19) != "http://twitter.com/") {
if (stripos(normalise_link($link), 'http://twitter.com/') === 0) {
$text .= $headline . '<blockquote>' . trim($share[3]) . "</blockquote><br />";
if ($link != "") {
@ -586,20 +579,30 @@ function bb_ShareAttributes($share, $simplehtml)
}
break;
default:
$text = trim($share[1]) . "\n";
// Transforms quoted tweets in rich attachments to avoid nested tweets
if (stripos(normalise_link($link), 'http://twitter.com/') === 0 && OEmbed::isAllowedURL($link)) {
try {
$oembed = OEmbed::getHTML($link, $preshare);
} catch (Exception $e) {
$oembed = sprintf('[bookmark=%s]%s[/bookmark]', $link, $preshare);
}
$avatar = proxy_url($avatar, false, PROXY_SIZE_THUMB);
$text = $preshare . $oembed;
} else {
$text = trim($share[1]) . "\n";
$tpl = get_markup_template('shared_content.tpl');
$text .= replace_macros($tpl, array(
$avatar = proxy_url($avatar, false, PROXY_SIZE_THUMB);
$tpl = get_markup_template('shared_content.tpl');
$text .= replace_macros($tpl, array(
'$profile' => $profile,
'$avatar' => $avatar,
'$author' => $author,
'$link' => $link,
'$posted' => $posted,
'$content' => trim($share[3])
)
);
));
}
break;
}

View File

@ -15,6 +15,7 @@ use dba;
use DOMDocument;
use DOMXPath;
use DOMNode;
use Exception;
require_once 'include/dba.php';
require_once 'mod/proxy.php';
@ -160,8 +161,8 @@ class OEmbed
public static function formatObject($j)
{
$embedurl = $j->embedurl;
$jhtml = self::iframe($j->embedurl, (isset($j->width) ? $j->width : null), (isset($j->height) ? $j->height : null));
$ret = "<span class='oembed " . $j->type . "'>";
$jhtml = $j->html;
$ret = '<div class="oembed ' . $j->type . '">';
switch ($j->type) {
case "video":
if (isset($j->thumbnail_url)) {
@ -173,7 +174,7 @@ class OEmbed
$th = 120;
$tw = $th * $tr;
$tpl = get_markup_template('oembed_video.tpl');
$ret.=replace_macros($tpl, array(
$ret .= replace_macros($tpl, array(
'$baseurl' => System::baseUrl(),
'$embedurl' => $embedurl,
'$escapedhtml' => base64_encode($jhtml),
@ -184,33 +185,32 @@ class OEmbed
} else {
$ret = $jhtml;
}
//$ret.="<br>";
break;
case "photo":
$ret.= "<img width='" . $j->width . "' src='" . proxy_url($j->url) . "'>";
$ret .= '<img width="' . $j->width . '" src="' . proxy_url($j->url) . '">';
break;
case "link":
break;
case "rich":
// not so safe..
if (self::isAllowedURL($embedurl)) {
$ret .= proxy_parse_html($jhtml);
}
break;
}
$ret .= '</div>';
// add link to source if not present in "rich" type
if ($j->type != 'rich' || !strpos($j->html, $embedurl)) {
$ret .= "<h4>";
$ret .= '<h4>';
if (isset($j->title)) {
if (isset($j->provider_name)) {
$ret .= $j->provider_name . ": ";
}
$embedlink = (isset($j->title)) ? $j->title : $embedurl;
$ret .= "<a href='$embedurl' rel='oembed'>$embedlink</a>";
$ret .= '<a href="' . $embedurl . '" rel="oembed">' . $embedlink . '</a>';
if (isset($j->author_name)) {
$ret.=" (" . $j->author_name . ")";
$ret .= ' (' . $j->author_name . ')';
}
} elseif (isset($j->provider_name) || isset($j->author_name)) {
$embedlink = "";
@ -229,16 +229,14 @@ class OEmbed
$embedlink = $embedurl;
}
$ret .= "<a href='$embedurl' rel='oembed'>$embedlink</a>";
$ret .= '<a href="' . $embedurl . '" rel="oembed">' . $embedlink . '</a>';
}
//if (isset($j->author_name)) $ret.=" by ".$j->author_name;
//if (isset($j->provider_name)) $ret.=" on ".$j->provider_name;
$ret .= "</h4>";
} else {
} elseif (!strpos($j->html, $embedurl)) {
// add <a> for html2bbcode conversion
$ret .= "<a href='$embedurl' rel='oembed'>$embedurl</a>";
$ret .= '<a href="' . $embedurl . '" rel="oembed">' . $j->title . '</a>';
}
$ret.="</span>";
$ret = str_replace("\n", "", $ret);
return mb_convert_encoding($ret, 'HTML-ENTITIES', mb_detect_encoding($ret));
}
@ -272,7 +270,7 @@ class OEmbed
$xpath = new DOMXPath($dom);
$xattr = self::buildXPath("class", "oembed");
$entries = $xpath->query("//span[$xattr]");
$entries = $xpath->query("//div[$xattr]");
$xattr = "@rel='oembed'"; //oe_build_xpath("rel","oembed");
foreach ($entries as $e) {
@ -287,6 +285,48 @@ class OEmbed
}
}
/**
* Determines if rich content OEmbed is allowed for the provided URL
*
* @brief Determines if rich content OEmbed is allowed for the provided URL
* @param string $url
* @return boolean
*/
public static function isAllowedURL($url)
{
if (!Config::get('system', 'no_oembed_rich_content')) {
return true;
}
$domain = parse_url($url, PHP_URL_HOST);
$str_allowed = Config::get('system', 'allowed_oembed', '');
$allowed = explode(',', $str_allowed);
return allowed_domain($domain, $allowed, true);
}
public static function getHTML($url, $title = null)
{
// Always embed the SSL version
$url = str_replace(array("http://www.youtube.com/", "http://player.vimeo.com/"),
array("https://www.youtube.com/", "https://player.vimeo.com/"), $url);
$o = OEmbed::fetchURL($url);
if (!is_object($o) || $o->type == 'error') {
throw new Exception('OEmbed failed for URL: ' . $url);
}
if (x($title)) {
$o->title = $title;
}
$html = OEmbed::formatObject($o);
return $html;
}
/**
* @brief Generates the iframe HTML for an oembed attachment.
*
@ -299,6 +339,8 @@ class OEmbed
* Since the iframe is automatically resized on load, there are no need for ugly
* and impractical scrollbars.
*
* @todo This function is currently unused until someone™ adds support for a separate OEmbed domain
*
* @param string $src Original remote URL to embed
* @param string $width
* @param string $height
@ -315,10 +357,7 @@ class OEmbed
}
$width = '100%';
// Only proxy OEmbed URLs to avoid mixed-content errors
if (Config::get('system', 'ssl_policy') == SSL_POLICY_FULL && parse_url($src, PHP_URL_SCHEME) !== 'https') {
$src = System::baseUrl() . '/oembed/' . base64url_encode($src);
}
$src = System::baseUrl() . '/oembed/' . base64url_encode($src);
return '<iframe onload="resizeIframe(this);" class="embed_rich" height="' . $height . '" width="' . $width . '" src="' . $src . '" allowfullscreen scrolling="no" frameborder="no">' . t('Embedded content') . '</iframe>';
}
@ -356,24 +395,4 @@ class OEmbed
return $innerHTML;
}
/**
* Determines if rich content OEmbed is allowed for the provided URL
*
* @brief Determines if rich content OEmbed is allowed for the provided URL
* @param string $url
* @return boolean
*/
private static function isAllowedURL($url)
{
if (!Config::get('system', 'no_oembed_rich_content')) {
return true;
}
$domain = parse_url($url, PHP_URL_HOST);
$str_allowed = Config::get('system', 'allowed_oembed', '');
$allowed = explode(',', $str_allowed);
return allowed_domain($domain, $allowed, true);
}
}