From ac75772150c3fe9411408ac44db04e774d095aa0 Mon Sep 17 00:00:00 2001
From: Craig Andrews <candrews@integralblue.com>
Date: Mon, 27 Jul 2009 13:42:03 -0400
Subject: Sanitize html returned by oEmbed providers to protect laconica from
 XSS attacks

---
 lib/attachmentlist.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'lib/attachmentlist.php')

diff --git a/lib/attachmentlist.php b/lib/attachmentlist.php
index f6a1b59d0..41d03f8e2 100644
--- a/lib/attachmentlist.php
+++ b/lib/attachmentlist.php
@@ -340,7 +340,12 @@ class Attachment extends AttachmentListItem
             case 'video':
             case 'link':
                 if (!empty($this->oembed->html)) {
-                    $this->out->raw($this->oembed->html);
+                    require_once INSTALLDIR.'/extlib/htmLawed/htmLawed.php';
+                    $config = array(
+                        'safe'=>1,
+                        'elements'=>'*+object+embed');
+                    $this->out->raw(htmLawed($this->oembed->html,$config));
+                    //$this->out->raw($this->oembed->html);
                 }
                 break;
 
-- 
cgit v1.2.3-54-g00ecf