clones/friendica
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Break out list of acceptable protocols in "src" attribute into separate variable similar to "href" attributes

This commit is contained in:
Matthew Exon 2017-01-30 15:48:12 +00:00
parent d99a96ef49
commit ce10a9aa7f
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
include/bbcode.php
View File

@ -1163,8 +1163,10 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true, $simplehtml = fal
// fix any escaped ampersands that may have been converted into links
$Text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism', '<$1$2=$3&$4>', $Text);
// sanitizes src attributes (only relative redir URIs or http URLs)
$Text = preg_replace('#<([^>]*?)(src)="(?!http|redir|cid)(.*?)"(.*?)>#ism', '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text);
// sanitizes src attributes (http and redir URLs for displaying in a web page, cid used for inline images in emails)
$allowed_src_protocols = array('http', 'redir', 'cid');
$Text = preg_replace('#<([^>]*?)(src)="(?!' . implode('|', $allowed_src_protocols) . ')(.*?)"(.*?)>#ism',
'<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text);
// sanitize href attributes (only whitelisted protocols URLs)
// default value for backward compatibility