diff options
author | Craig Andrews <candrews@integralblue.com> | 2009-07-27 13:42:03 -0400 |
---|---|---|
committer | Craig Andrews <candrews@integralblue.com> | 2009-07-27 13:42:03 -0400 |
commit | ac75772150c3fe9411408ac44db04e774d095aa0 (patch) | |
tree | fcf7b18289a31e602a821a7ea22f82e4c3cd3a54 /lib | |
parent | b9cf19a2ee4b483709f1e964860fcf9209c4ba05 (diff) |
Sanitize html returned by oEmbed providers to protect laconica from XSS attacks
Diffstat (limited to 'lib')
-rw-r--r-- | lib/attachmentlist.php | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/attachmentlist.php b/lib/attachmentlist.php index f6a1b59d0..41d03f8e2 100644 --- a/lib/attachmentlist.php +++ b/lib/attachmentlist.php @@ -340,7 +340,12 @@ class Attachment extends AttachmentListItem case 'video': case 'link': if (!empty($this->oembed->html)) { - $this->out->raw($this->oembed->html); + require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php'; + $config = array( + 'safe'=>1, + 'elements'=>'*+object+embed'); + $this->out->raw(htmLawed($this->oembed->html,$config)); + //$this->out->raw($this->oembed->html); } break; |