aboutsummaryrefslogtreecommitdiffstats
path: root/Zotlabs
diff options
context:
space:
mode:
authorredmatrix <git@macgirvin.com>2016-05-01 19:19:17 -0700
committerredmatrix <git@macgirvin.com>2016-05-01 19:19:17 -0700
commitcd518625bf561f1ed42db0b78030b74c32435136 (patch)
treea0894903507417997833d6766d7ba6a1ffd23a30 /Zotlabs
parent84d93cca6e2ac0b552a6f5c570fbcfce766200a1 (diff)
downloadvolse-hubzilla-cd518625bf561f1ed42db0b78030b74c32435136.tar.gz
volse-hubzilla-cd518625bf561f1ed42db0b78030b74c32435136.tar.bz2
volse-hubzilla-cd518625bf561f1ed42db0b78030b74c32435136.zip
some much needed work on oembed security
Diffstat (limited to 'Zotlabs')
-rw-r--r--Zotlabs/Module/Admin.php29
-rw-r--r--Zotlabs/Module/Oep.php2
2 files changed, 20 insertions, 11 deletions
diff --git a/Zotlabs/Module/Admin.php b/Zotlabs/Module/Admin.php
index 1d37b41bc..b22931b1a 100644
--- a/Zotlabs/Module/Admin.php
+++ b/Zotlabs/Module/Admin.php
@@ -568,25 +568,25 @@ class Admin extends \Zotlabs\Web\Controller {
$block_public = ((x($_POST,'block_public')) ? True : False);
set_config('system','block_public',$block_public);
- $ws = trim_array_elems(explode("\n",$_POST['whitelisted_sites']));
+ $ws = $this->trim_array_elems(explode("\n",$_POST['whitelisted_sites']));
set_config('system','whitelisted_sites',$ws);
- $bs = trim_array_elems(explode("\n",$_POST['blacklisted_sites']));
+ $bs = $this->trim_array_elems(explode("\n",$_POST['blacklisted_sites']));
set_config('system','blacklisted_sites',$bs);
- $wc = trim_array_elems(explode("\n",$_POST['whitelisted_channels']));
+ $wc = $this->trim_array_elems(explode("\n",$_POST['whitelisted_channels']));
set_config('system','whitelisted_channels',$wc);
- $bc = trim_array_elems(explode("\n",$_POST['blacklisted_channels']));
+ $bc = $this->trim_array_elems(explode("\n",$_POST['blacklisted_channels']));
set_config('system','blacklisted_channels',$bc);
$embed_coop = ((x($_POST,'embed_coop')) ? True : False);
set_config('system','embed_coop',$embed_coop);
- $we = trim_array_elems(explode("\n",$_POST['embed_allow']));
+ $we = $this->trim_array_elems(explode("\n",$_POST['embed_allow']));
set_config('system','embed_allow',$we);
- $be = trim_array_elems(explode("\n",$_POST['embed_deny']));
+ $be = $this->trim_array_elems(explode("\n",$_POST['embed_deny']));
set_config('system','embed_deny',$be);
goaway(z_root() . '/admin/security');
@@ -708,9 +708,13 @@ class Admin extends \Zotlabs\Web\Controller {
$embed_coop = intval(get_config('system','embed_coop'));
- // wait to implement this until we have a co-op in place.
- // if((! $whiteembeds) && (! $blackembeds) && (! $embed_coop))
- // $whiteembeds_str = "youtube.com\nyoutu.be\ntwitter.com\nvimeo.com\nsoundcloud.com\nwikipedia.com";
+ if((! $whiteembeds) && (! $blackembeds)) {
+ $embedhelp1 = t("By default, unfiltered HTML is allowed in embedded media. This is inherently insecure.");
+ }
+
+ $embedhelp2 = t("The recommended setting is to only allow unfiltered HTML from the following sites:");
+ $embedhelp3 = t("youtube.com<br />youtu.be<br />twitter.com<br />vimeo.com<br />soundcloud.com<br />wikipedia.com<br />");
+ $embedhelp4 = t("All other embedded content will be filtered, <strong>unless</strong> embedded content from that site is explicitly blocked.");
$t = get_markup_template('admin_security.tpl');
return replace_macros($t, array(
@@ -722,10 +726,15 @@ class Admin extends \Zotlabs\Web\Controller {
'$blacklisted_sites' => array('blacklisted_sites', t('Block communications from these sites'), $blacksites_str, ''),
'$whitelisted_channels' => array('whitelisted_channels', t('Allow communications only from these channels'), $whitechannels_str, t('One channel (hash) per line. Leave empty to allow from any channel by default')),
'$blacklisted_channels' => array('blacklisted_channels', t('Block communications from these channels'), $blackchannels_str, ''),
- '$embed_allow' => array('embed_allow', t('Allow embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')),
+ '$embed_allow' => array('embed_allow', t('Allow unfiltered embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')),
'$embed_deny' => array('embed_deny', t('Block embedded HTML from these domains'), $blackembeds_str, ''),
// '$embed_coop' => array('embed_coop', t('Cooperative embed security'), $embed_coop, t('Enable to share embed security with other compatible sites/hubs')),
+ '$embedhelp1' => $embedhelp1,
+ '$embedhelp2' => $embedhelp2,
+ '$embedhelp3' => $embedhelp3,
+ '$embedhelp4' => $embedhelp4,
+
'$submit' => t('Submit')
));
}
diff --git a/Zotlabs/Module/Oep.php b/Zotlabs/Module/Oep.php
index f36a452e8..638ea7e2d 100644
--- a/Zotlabs/Module/Oep.php
+++ b/Zotlabs/Module/Oep.php
@@ -220,7 +220,7 @@ class Oep extends \Zotlabs\Web\Controller {
$ret['width'] = intval($width);
$ret['height'] = intval($height);
- $ret['html'] = get_zcard($c,get_observer_hash(),array('width' => $width, 'height' => $height));
+ $ret['html'] = get_zcard_embed($c,get_observer_hash(),array('width' => $width, 'height' => $height));
return $ret;