summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorCraig Andrews <candrews@integralblue.com>2009-07-27 13:42:03 -0400
committerCraig Andrews <candrews@integralblue.com>2009-07-27 13:42:03 -0400
commitac75772150c3fe9411408ac44db04e774d095aa0 (patch)
treefcf7b18289a31e602a821a7ea22f82e4c3cd3a54 /lib
parentb9cf19a2ee4b483709f1e964860fcf9209c4ba05 (diff)
Sanitize html returned by oEmbed providers to protect laconica from XSS attacks
Diffstat (limited to 'lib')
-rw-r--r--lib/attachmentlist.php7
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/attachmentlist.php b/lib/attachmentlist.php
index f6a1b59d0..41d03f8e2 100644
--- a/lib/attachmentlist.php
+++ b/lib/attachmentlist.php
@@ -340,7 +340,12 @@ class Attachment extends AttachmentListItem
case 'video':
case 'link':
if (!empty($this->oembed->html)) {
- $this->out->raw($this->oembed->html);
+ require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
+ $config = array(
+ 'safe'=>1,
+ 'elements'=>'*+object+embed');
+ $this->out->raw(htmLawed($this->oembed->html,$config));
+ //$this->out->raw($this->oembed->html);
}
break;