Sanitize html returned by oEmbed providers to protect laconica from XSS attacks

author: Craig Andrews <candrews@integralblue.com> 2009-07-27 13:42:03 -0400
committer: Craig Andrews <candrews@integralblue.com> 2009-07-27 13:42:03 -0400
commit: ac75772150c3fe9411408ac44db04e774d095aa0 (patch)
tree: fcf7b18289a31e602a821a7ea22f82e4c3cd3a54 /lib/attachmentlist.php
parent: b9cf19a2ee4b483709f1e964860fcf9209c4ba05 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/attachmentlist.php b/lib/attachmentlist.php
index f6a1b59d0..41d03f8e2 100644
--- a/lib/attachmentlist.php
+++ b/lib/attachmentlist.php
@@ -340,7 +340,12 @@ class Attachment extends AttachmentListItem
             case 'video':
             case 'link':
                 if (!empty($this->oembed->html)) {
-                    $this->out->raw($this->oembed->html);
+                    require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
+                    $config = array(
+                        'safe'=>1,
+                        'elements'=>'*+object+embed');
+                    $this->out->raw(htmLawed($this->oembed->html,$config));
+                    //$this->out->raw($this->oembed->html);
                 }
                 break;
author	Craig Andrews <candrews@integralblue.com>	2009-07-27 13:42:03 -0400
committer	Craig Andrews <candrews@integralblue.com>	2009-07-27 13:42:03 -0400
commit	ac75772150c3fe9411408ac44db04e774d095aa0 (patch)
tree	fcf7b18289a31e602a821a7ea22f82e4c3cd3a54 /lib/attachmentlist.php
parent	b9cf19a2ee4b483709f1e964860fcf9209c4ba05 (diff)