use iframe for oembed - untrusted content

2 files changed, 23 insertions, 3 deletions

diff --git a/include/bbcode.php b/include/bbcode.php
index a8c66d30f..e20b2478d 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -19,8 +19,7 @@ function tryoembed($match){
 	if ($o->type=="error") return $match[0];
 	
 	$html = oembed_format_object($o);
-	
-	return $html;
+	return oembed_iframe($html,$o->width,$o->height);
 	
 }
 
diff --git a/include/oembed.php b/include/oembed.php
index 924e61289..71b62b839 100644
--- a/include/oembed.php
+++ b/include/oembed.php
@@ -1,8 +1,12 @@
 <?php
 function oembed_replacecb($matches){
+	logger('oembedcb');
 	$embedurl=$matches[1];
 	$j = oembed_fetch_url($embedurl);
-	return oembed_format_object($j);
+	$s =  oembed_format_object($j);
+	return oembed_iframe($s,$j->width,$j->height);
+
+
 }
 
 
@@ -102,6 +106,23 @@ function oembed_format_object($j){
 	return  mb_convert_encoding($ret, 'HTML-ENTITIES', mb_detect_encoding($ret));
 }
 
+function oembed_iframe($src,$width,$height) {
+
+	if(! $width || strstr($width,'%'))
+		$width = '640';
+	if(! $height || strstr($height,'%'))
+		$height = '300';
+	// try and leave some room for the description line. 
+	$height = intval($height) + 80;
+	$width  = intval($width) + 40;
+
+	$s = 'data:text/html;base64,' . base64_encode('<html><body>' . $src . '</body></html>');
+	return '<iframe height="' . $height . '" width="' . $width . '" src="' . $s . '" frameborder="no" >' . t('Embedded content') . '</iframe>'; 
+
+}
+
+
+
 function oembed_bbcode2html($text){
 	$stopoembed = get_config("system","no_oembed");
 	if ($stopoembed == true){