diff options
| author | Craig Andrews <candrews@integralblue.com> | 2009-07-27 13:42:03 -0400 |
|---|---|---|
| committer | Craig Andrews <candrews@integralblue.com> | 2009-07-27 13:42:03 -0400 |
| commit | ac75772150c3fe9411408ac44db04e774d095aa0 (patch) | |
| tree | fcf7b18289a31e602a821a7ea22f82e4c3cd3a54 /lib/attachmentlist.php | |
| parent | b9cf19a2ee4b483709f1e964860fcf9209c4ba05 (diff) | |
Sanitize html returned by oEmbed providers to protect laconica from XSS attacks
Diffstat (limited to 'lib/attachmentlist.php')
| -rw-r--r-- | lib/attachmentlist.php | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/attachmentlist.php b/lib/attachmentlist.php index f6a1b59d0..41d03f8e2 100644 --- a/lib/attachmentlist.php +++ b/lib/attachmentlist.php @@ -340,7 +340,12 @@ class Attachment extends AttachmentListItem case 'video': case 'link': if (!empty($this->oembed->html)) { - $this->out->raw($this->oembed->html); + require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php'; + $config = array( + 'safe'=>1, + 'elements'=>'*+object+embed'); + $this->out->raw(htmLawed($this->oembed->html,$config)); + //$this->out->raw($this->oembed->html); } break; |