clones/friendica
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Remove support for [iframe] BBCode

Browse Source 
- It was a huge gaping security hole, and now HTML Purify will remove the src attribute of all non-allowed sources anyway.
This commit is contained in:
Hypolite Petovan
2020-12-18 01:16:35 -05:00
parent 13c7224789
commit ec0c9dcdb1
4 changed files with 5 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
src/Content/Text/BBCode.php
View File

@@ -1622,11 +1622,8 @@ class BBCode
'<a href="$1" target="_blank" rel="noopener noreferrer">$1</a>', $text);
}
if ($try_oembed) {
$text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '<iframe src="$1" width="' . $a->videowidth . '" height="' . $a->videoheight . '"><a href="$1">$1</a></iframe>', $text);
} else {
$text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '<a href="$1">$1</a>', $text);
}
// Backward compatibility, [iframe] support has been removed in version 2020.12
$text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '<a href="$1">$1</a>', $text);
// Youtube extensions
if ($try_oembed) {