mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2025-10-24 10:06:14 +02:00
feat: Add option for safe iframe hosts using array lookup (#423)
Co-authored-by: Edward Z. Yang <ezyang@meta.com>
This commit is contained in:
@@ -608,4 +608,9 @@
|
|||||||
<line>35</line>
|
<line>35</line>
|
||||||
</file>
|
</file>
|
||||||
</directive>
|
</directive>
|
||||||
|
<directive id="URI.SafeIframeHosts">
|
||||||
|
<file name="HTMLPurifier/URIFilter/SafeIframe.php">
|
||||||
|
<line>67</line>
|
||||||
|
</file>
|
||||||
|
</directive>
|
||||||
</usage>
|
</usage>
|
||||||
|
File diff suppressed because one or more lines are too long
@@ -6,7 +6,7 @@ DEFAULT: false
|
|||||||
<p>
|
<p>
|
||||||
Whether or not to permit iframe tags in untrusted documents. This
|
Whether or not to permit iframe tags in untrusted documents. This
|
||||||
directive must be accompanied by a whitelist of permitted iframes,
|
directive must be accompanied by a whitelist of permitted iframes,
|
||||||
such as %URI.SafeIframeRegexp, otherwise it will fatally error.
|
such as %URI.SafeIframeRegexp or %URI.SafeIframeHosts, otherwise it will fatally error.
|
||||||
This directive has no effect on strict doctypes, as iframes are not
|
This directive has no effect on strict doctypes, as iframes are not
|
||||||
valid.
|
valid.
|
||||||
</p>
|
</p>
|
||||||
|
@@ -0,0 +1,14 @@
|
|||||||
|
URI.SafeIframeHosts
|
||||||
|
TYPE: lookup/null
|
||||||
|
DEFAULT: null
|
||||||
|
--DESCRIPTION--
|
||||||
|
<p>
|
||||||
|
A whitelist which indicates what explicit hosts should be
|
||||||
|
allowed to embed iframe. See also %HTML.SafeIframeRegexp,
|
||||||
|
it has precedence over this config. Here are some example values:
|
||||||
|
</p>
|
||||||
|
<ul>
|
||||||
|
<li><code>www.youtube.com</code> - Allow YouTube videos</li>
|
||||||
|
<li><code>maps.google.com</code> - Allow Embedding a Google map</li>
|
||||||
|
</ul>
|
||||||
|
--# vim: et sw=4 sts=4
|
@@ -57,11 +57,12 @@ class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter
|
|||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
// check if we actually have some whitelists enabled
|
// check if we actually have some whitelists enabled
|
||||||
if ($this->regexp === null) {
|
if ($this->regexp !== null) {
|
||||||
return false;
|
return preg_match($this->regexp, $uri->toString());
|
||||||
}
|
}
|
||||||
// actually check the whitelists
|
// check if the host is in a whitelist for safe iframe hosts
|
||||||
return preg_match($this->regexp, $uri->toString());
|
$safeHosts = $config->get('URI.SafeIframeHosts');
|
||||||
|
return $safeHosts !== null && isset($safeHosts[$uri->host]);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@@ -0,0 +1,8 @@
|
|||||||
|
--INI--
|
||||||
|
HTML.SafeIframe = true
|
||||||
|
URI.SafeIframeHosts = www.youtube.com
|
||||||
|
--HTML--
|
||||||
|
<iframe title="YouTube video player" width="480" height="390" src="http://www.youtube.com/embed/RVtEQxH7PWA" frameborder="0" allowfullscreen></iframe>
|
||||||
|
--EXPECT--
|
||||||
|
<iframe title="YouTube video player" width="480" height="390" src="http://www.youtube.com/embed/RVtEQxH7PWA" frameborder="0"></iframe>
|
||||||
|
--# vim: et sw=4 sts=4
|
@@ -115,6 +115,12 @@ class HTMLPurifier_Injector_RemoveEmptyTest extends HTMLPurifier_InjectorHarness
|
|||||||
$this->assertResult('<iframe src="http://google.com"></iframe>', '');
|
$this->assertResult('<iframe src="http://google.com"></iframe>', '');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testRemoveDisallowedIframeDeniedByHostsList()
|
||||||
|
{
|
||||||
|
$this->config->set('HTML.SafeIframe', true);
|
||||||
|
$this->config->set('URI.SafeIframeHosts', ['www.youtube.com']);
|
||||||
|
$this->assertResult('<iframe src="http://maps.google.com"></iframe>', '');
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// vim: et sw=4 sts=4
|
// vim: et sw=4 sts=4
|
||||||
|
Reference in New Issue
Block a user