mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-22 08:21:52 +00:00
Code Releases Activity

feat: Add option for safe iframe hosts using array lookup (#423)

Browse Source 
Co-authored-by: Edward Z. Yang <ezyang@meta.com>
This commit is contained in:
Eli Barbosa 2024-11-09 19:02:09 -08:00 committed by GitHub
parent f16ace76cd
commit b5cbf0cc3d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 40 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
configdoc/usage.xml
View File

@ -608,4 +608,9 @@
<line>35</line> <line>35</line>
</file> </file>
</directive> </directive>
<directive id="URI.SafeIframeHosts">
<file name="HTMLPurifier/URIFilter/SafeIframe.php">
<line>67</line>
</file>
</directive>
</usage> </usage>

2
library/HTMLPurifier/ConfigSchema/schema.ser
View File

File diff suppressed because one or more lines are too long

2
library/HTMLPurifier/ConfigSchema/schema/HTML.SafeIframe.txt
View File

@ -6,7 +6,7 @@ DEFAULT: false
<p> <p>
Whether or not to permit iframe tags in untrusted documents. This Whether or not to permit iframe tags in untrusted documents. This
directive must be accompanied by a whitelist of permitted iframes, directive must be accompanied by a whitelist of permitted iframes,
such as %URI.SafeIframeRegexp, otherwise it will fatally error. such as %URI.SafeIframeRegexp or %URI.SafeIframeHosts, otherwise it will fatally error.
This directive has no effect on strict doctypes, as iframes are not This directive has no effect on strict doctypes, as iframes are not
valid. valid.
</p> </p>

14
library/HTMLPurifier/ConfigSchema/schema/URI.SafeIframeHosts.txt Normal file
View File

@ -0,0 +1,14 @@
URI.SafeIframeHosts
TYPE: lookup/null
DEFAULT: null
--DESCRIPTION--
<p>
A whitelist which indicates what explicit hosts should be
allowed to embed iframe. See also %HTML.SafeIframeRegexp,
it has precedence over this config. Here are some example values:
</p>
<ul>
<li><code>www.youtube.com</code> - Allow YouTube videos</li>
<li><code>maps.google.com</code> - Allow Embedding a Google map</li>
</ul>
--# vim: et sw=4 sts=4

9
library/HTMLPurifier/URIFilter/SafeIframe.php
View File

@ -57,12 +57,13 @@ class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter
return true; return true;
} }
// check if we actually have some whitelists enabled // check if we actually have some whitelists enabled
if ($this->regexp === null) { if ($this->regexp !== null) {
return false;
}
// actually check the whitelists
return preg_match($this->regexp, $uri->toString()); return preg_match($this->regexp, $uri->toString());
} }
// check if the host is in a whitelist for safe iframe hosts
$safeHosts = $config->get('URI.SafeIframeHosts');
return $safeHosts !== null && isset($safeHosts[$uri->host]);
}
} }
// vim: et sw=4 sts=4 // vim: et sw=4 sts=4

8
tests/HTMLPurifier/HTMLT/safe-iframe-youtube-with-array-lookup.htmlt Normal file
View File

@ -0,0 +1,8 @@
--INI--
HTML.SafeIframe = true
URI.SafeIframeHosts = www.youtube.com
--HTML--
<iframe title="YouTube video player" width="480" height="390" src="http://www.youtube.com/embed/RVtEQxH7PWA" frameborder="0" allowfullscreen></iframe>
--EXPECT--
<iframe title="YouTube video player" width="480" height="390" src="http://www.youtube.com/embed/RVtEQxH7PWA" frameborder="0"></iframe>
--# vim: et sw=4 sts=4

6
tests/HTMLPurifier/Injector/RemoveEmptyTest.php
View File

@ -115,6 +115,12 @@ class HTMLPurifier_Injector_RemoveEmptyTest extends HTMLPurifier_InjectorHarness
$this->assertResult('<iframe src="http://google.com"></iframe>', ''); $this->assertResult('<iframe src="http://google.com"></iframe>', '');
} }
public function testRemoveDisallowedIframeDeniedByHostsList()
{
$this->config->set('HTML.SafeIframe', true);
$this->config->set('URI.SafeIframeHosts', ['www.youtube.com']);
$this->assertResult('<iframe src="http://maps.google.com"></iframe>', '');
}
} }
// vim: et sw=4 sts=4 // vim: et sw=4 sts=4