diff options
| author | mrjive <mrjive@mrjive.it> | 2015-11-11 16:51:48 +0100 |
|---|---|---|
| committer | mrjive <mrjive@mrjive.it> | 2015-11-11 16:51:48 +0100 |
| commit | 53a796afcc0cff6f9e3f51457df4506a43db1945 (patch) | |
| tree | a2366c48e0dae047b052283cc44284224369c8cd /include/bbcode.php | |
| parent | a4c3058f845a1c38d06b2201a10700c5f878366d (diff) | |
| parent | bc7c0ed844711e81c4bc642e3024849195a48421 (diff) | |
| download | volse-hubzilla-53a796afcc0cff6f9e3f51457df4506a43db1945.tar.gz volse-hubzilla-53a796afcc0cff6f9e3f51457df4506a43db1945.tar.bz2 volse-hubzilla-53a796afcc0cff6f9e3f51457df4506a43db1945.zip | |
Merge pull request #8 from redmatrix/master
get fresh code from HZ base
Diffstat (limited to 'include/bbcode.php')
| -rw-r--r-- | include/bbcode.php | 12 |
1 files changed, 9 insertions, 3 deletions
diff --git a/include/bbcode.php b/include/bbcode.php index 1092c08a3..05802aa57 100644 --- a/include/bbcode.php +++ b/include/bbcode.php @@ -28,7 +28,7 @@ function tryzrlaudio($match) { if($zrl) $link = zid($link); - return '<audio src="' . str_replace(' ','%20',$link) . '" controls="controls"><a href="' . str_replace(' ','%20',$link) . '">' . $link . '</a></audio>'; + return '<audio src="' . str_replace(' ','%20',$link) . '" controls="controls" preload="none"><a href="' . str_replace(' ','%20',$link) . '">' . $link . '</a></audio>'; } function tryzrlvideo($match) { @@ -37,7 +37,7 @@ function tryzrlvideo($match) { if($zrl) $link = zid($link); - return '<video controls="controls" src="' . str_replace(' ','%20',$link) . '" style="width:100%; max-width:' . get_app()->videowidth . 'px"><a href="' . str_replace(' ','%20',$link) . '">' . $link . '</a></video>'; + return '<video controls="controls" preload="none" src="' . str_replace(' ','%20',$link) . '" style="width:100%; max-width:' . get_app()->videowidth . 'px"><a href="' . str_replace(' ','%20',$link) . '">' . $link . '</a></video>'; } // [noparse][i]italic[/i][/noparse] turns into @@ -599,6 +599,7 @@ function bbcode($Text, $preserve_nl = false, $tryoembed = true, $cache = false) $Text = preg_replace("/\[mail\=([$MAILSearchString]*)\](.*?)\[\/mail\]/", '<a href="mailto:$1" target="_newwin" >$2</a>', $Text); } + // leave open the posibility of [map=something] // this is replaced in prepare_body() which has knowledge of the item location @@ -983,7 +984,12 @@ function bbcode($Text, $preserve_nl = false, $tryoembed = true, $cache = false) $Text = preg_replace('/\[\&\;([#a-z0-9]+)\;\]/', '&$1;', $Text); // fix any escaped ampersands that may have been converted into links - $Text = preg_replace("/\<(.*?)(src|href)=(.*?)\&\;(.*?)\>/ism", '<$1$2=$3&$4>', $Text); + + if(strpos($Text,'&') !== false) + $Text = preg_replace("/\<(.*?)(src|href)=(.*?)\&\;(.*?)\>/ism", '<$1$2=$3&$4>', $Text); + + // This is subtle - it's an XSS filter. It only accepts links with a protocol scheme and where + // the scheme begins with z (zhttp), h (http(s)), f (ftp), m (mailto), and named anchors. $Text = preg_replace("/\<(.*?)(src|href)=\"[^zhfm#](.*?)\>/ism", '<$1$2="">', $Text); |