From ec0c9dcdb160750c4346579a9fab21e323106ede Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Fri, 18 Dec 2020 01:16:35 -0500 Subject: [PATCH 1/3] Remove support for [iframe] BBCode - It was a huge gaping security hole, and now HTML Purify will remove the src attribute of all non-allowed sources anyway. --- doc/BBCode.md | 4 ---- doc/de/BBCode.md | 4 ---- src/Content/Text/BBCode.php | 7 ++----- src/Content/Text/HTML.php | 4 +++- 4 files changed, 5 insertions(+), 14 deletions(-) diff --git a/doc/BBCode.md b/doc/BBCode.md index 47e45b7aca..753bc69425 100644 --- a/doc/BBCode.md +++ b/doc/BBCode.md @@ -502,10 +502,6 @@ You can embed video, audio and more in a message. [embed]URL[/embed] Embed OEmbed rich content. - - [iframe]URL[/iframe] - General embed, iframe size is limited by the theme size for video players. - [url]*url*[/url] If *url* supports oembed or opengraph specifications the embedded object will be shown (eg, documents from scribd). diff --git a/doc/de/BBCode.md b/doc/de/BBCode.md index 5786e22755..ded52cdb78 100644 --- a/doc/de/BBCode.md +++ b/doc/de/BBCode.md @@ -482,10 +482,6 @@ Du kannst Videos, Musikdateien und weitere Dinge in Beiträgen einbinden. [embed]URL[/embed] OEmbed rich content einbetten. - - [iframe]URL[/iframe] - General embed, iframe size is limited by the theme size for video players. - [url]*url*[/url] Wenn *url* die OEmbed- oder Opengraph-Spezifikationen unterstützt, wird das Objekt eingebettet (z.B. Dokumente von scribd). diff --git a/src/Content/Text/BBCode.php b/src/Content/Text/BBCode.php index 73503cece8..e41511f5a3 100644 --- a/src/Content/Text/BBCode.php +++ b/src/Content/Text/BBCode.php @@ -1622,11 +1622,8 @@ class BBCode '$1', $text); } - if ($try_oembed) { - $text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '', $text); - } else { - $text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '$1', $text); - } + // Backward compatibility, [iframe] support has been removed in version 2020.12 + $text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '$1', $text); // Youtube extensions if ($try_oembed) { diff --git a/src/Content/Text/HTML.php b/src/Content/Text/HTML.php index e8d0943ca4..6f2d7c7905 100644 --- a/src/Content/Text/HTML.php +++ b/src/Content/Text/HTML.php @@ -290,7 +290,8 @@ class HTML self::tagToBBCode($doc, 'video', ['src' => '/(.+)/'], '[video]$1', '[/video]', true); self::tagToBBCode($doc, 'audio', ['src' => '/(.+)/'], '[audio]$1', '[/audio]', true); - self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], '[iframe]$1', '[/iframe]', true); + // Backward compatibility, [iframe] support has been removed in version 2020.12 + self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], '[url]$1', '[/url]', true); self::tagToBBCode($doc, 'key', [], '[code]', '[/code]'); self::tagToBBCode($doc, 'code', [], '[code]', '[/code]'); @@ -630,6 +631,7 @@ class HTML self::tagToBBCode($doc, 'img', ['src' => '/(.+)/'], ' ', ' '); } + // Backward compatibility, [iframe] support has been removed in version 2020.12 self::tagToBBCode($doc, 'iframe', ['src' => '/(.+)/'], ' $1 ', ''); $message = $doc->saveHTML(); From 0781f28ca6e8ac9fe9a2ebf0707db7952a148b5e Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Fri, 18 Dec 2020 01:17:49 -0500 Subject: [PATCH 2/3] Allow support for allowlisted iframe sources in Content\text\BBCode::convert - Support Youtube, Vimeo and unused local embeds --- src/Content/Text/BBCode.php | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/Content/Text/BBCode.php b/src/Content/Text/BBCode.php index e41511f5a3..2563194f2c 100644 --- a/src/Content/Text/BBCode.php +++ b/src/Content/Text/BBCode.php @@ -1876,6 +1876,14 @@ class BBCode $config = \HTMLPurifier_HTML5Config::createDefault(); $config->set('HTML.Doctype', 'HTML5'); + $config->set('HTML.SafeIframe', true); + $config->set('URI.SafeIframeRegexp', '%^(?: + https://www.youtube.com/embed/ + | + https://player.vimeo.com/video/ + | + ' . DI::baseUrl() . '/oembed/ # Has to change with the source in Content\Oembed::iframe + )%xi'); $config->set('Attr.AllowedRel', [ 'noreferrer' => true, 'noopener' => true, From 20d9dcf7acd93d6ac5ac619fdcf57761213e5f7d Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Fri, 18 Dec 2020 01:18:23 -0500 Subject: [PATCH 3/3] Bump BBCode version to 2020-12-18 --- src/Content/Text/BBCode.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Content/Text/BBCode.php b/src/Content/Text/BBCode.php index 2563194f2c..e0975f9f0b 100644 --- a/src/Content/Text/BBCode.php +++ b/src/Content/Text/BBCode.php @@ -50,7 +50,7 @@ use Friendica\Util\XML; class BBCode { // Update this value to the current date whenever changes are made to BBCode::convert - const VERSION = '2020-12-06'; + const VERSION = '2020-12-18'; const INTERNAL = 0; const API = 2;