0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-12-22 00:11:52 +00:00

feat: Add option for safe iframe hosts using array lookup (#423)

Co-authored-by: Edward Z. Yang <ezyang@meta.com>
This commit is contained in:
Eli Barbosa 2024-11-09 19:02:09 -08:00 committed by GitHub
parent f16ace76cd
commit b5cbf0cc3d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
7 changed files with 40 additions and 6 deletions

View File

@ -608,4 +608,9 @@
<line>35</line> <line>35</line>
</file> </file>
</directive> </directive>
<directive id="URI.SafeIframeHosts">
<file name="HTMLPurifier/URIFilter/SafeIframe.php">
<line>67</line>
</file>
</directive>
</usage> </usage>

File diff suppressed because one or more lines are too long

View File

@ -6,7 +6,7 @@ DEFAULT: false
<p> <p>
Whether or not to permit iframe tags in untrusted documents. This Whether or not to permit iframe tags in untrusted documents. This
directive must be accompanied by a whitelist of permitted iframes, directive must be accompanied by a whitelist of permitted iframes,
such as %URI.SafeIframeRegexp, otherwise it will fatally error. such as %URI.SafeIframeRegexp or %URI.SafeIframeHosts, otherwise it will fatally error.
This directive has no effect on strict doctypes, as iframes are not This directive has no effect on strict doctypes, as iframes are not
valid. valid.
</p> </p>

View File

@ -0,0 +1,14 @@
URI.SafeIframeHosts
TYPE: lookup/null
DEFAULT: null
--DESCRIPTION--
<p>
A whitelist which indicates what explicit hosts should be
allowed to embed iframe. See also %HTML.SafeIframeRegexp,
it has precedence over this config. Here are some example values:
</p>
<ul>
<li><code>www.youtube.com</code> - Allow YouTube videos</li>
<li><code>maps.google.com</code> - Allow Embedding a Google map</li>
</ul>
--# vim: et sw=4 sts=4

View File

@ -57,11 +57,12 @@ class HTMLPurifier_URIFilter_SafeIframe extends HTMLPurifier_URIFilter
return true; return true;
} }
// check if we actually have some whitelists enabled // check if we actually have some whitelists enabled
if ($this->regexp === null) { if ($this->regexp !== null) {
return false; return preg_match($this->regexp, $uri->toString());
} }
// actually check the whitelists // check if the host is in a whitelist for safe iframe hosts
return preg_match($this->regexp, $uri->toString()); $safeHosts = $config->get('URI.SafeIframeHosts');
return $safeHosts !== null && isset($safeHosts[$uri->host]);
} }
} }

View File

@ -0,0 +1,8 @@
--INI--
HTML.SafeIframe = true
URI.SafeIframeHosts = www.youtube.com
--HTML--
<iframe title="YouTube video player" width="480" height="390" src="http://www.youtube.com/embed/RVtEQxH7PWA" frameborder="0" allowfullscreen></iframe>
--EXPECT--
<iframe title="YouTube video player" width="480" height="390" src="http://www.youtube.com/embed/RVtEQxH7PWA" frameborder="0"></iframe>
--# vim: et sw=4 sts=4

View File

@ -115,6 +115,12 @@ class HTMLPurifier_Injector_RemoveEmptyTest extends HTMLPurifier_InjectorHarness
$this->assertResult('<iframe src="http://google.com"></iframe>', ''); $this->assertResult('<iframe src="http://google.com"></iframe>', '');
} }
public function testRemoveDisallowedIframeDeniedByHostsList()
{
$this->config->set('HTML.SafeIframe', true);
$this->config->set('URI.SafeIframeHosts', ['www.youtube.com']);
$this->assertResult('<iframe src="http://maps.google.com"></iframe>', '');
}
} }
// vim: et sw=4 sts=4 // vim: et sw=4 sts=4