aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorfriendica <info@friendica.com>2014-03-31 15:56:58 -0700
committerfriendica <info@friendica.com>2014-03-31 15:56:58 -0700
commit57a9ba4574e61a803c0a732135fe457733901850 (patch)
tree220bfaf22477de7e381b5cf264b960bcec7bbbd1 /include
parent04d9187c7ac63b5af3f63ed8d04e737e5801d0e1 (diff)
downloadvolse-hubzilla-57a9ba4574e61a803c0a732135fe457733901850.tar.gz
volse-hubzilla-57a9ba4574e61a803c0a732135fe457733901850.tar.bz2
volse-hubzilla-57a9ba4574e61a803c0a732135fe457733901850.zip
this is a mess and makes a complicated security model that one can probably drive a truck through. It will have to be fixed. It does make youtubes work again.
Diffstat (limited to 'include')
-rw-r--r--include/bbcode.php7
-rwxr-xr-xinclude/oembed.php5
2 files changed, 7 insertions, 5 deletions
diff --git a/include/bbcode.php b/include/bbcode.php
index 6f6e43568..96242fdac 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -230,11 +230,10 @@ function bb_location($match) {
function bbiframe($match) {
$a = get_app();
- // use sandbox mode to prevent malicious goings on rather than host restriction
- // if(strpos($match[1],get_app()->get_hostname()))
- // return '<a href="' . $match[1] . '">' . $match[1] . '</a>';
- return '<iframe sandbox="allow-scripts" src="' . $match[1] . '" width="' . $a->videowidth . '" height="' . $a->videoheight . '"><a href="' . $match[1] . '">' . $match[1] . '</a></iframe>';
+ $sandbox = ((strpos($match[1],get_app()->get_hostname())) ? ' sandbox="allow-scripts" ' : '');
+
+ return '<iframe ' . $sandbox . ' src="' . $match[1] . '" width="' . $a->videowidth . '" height="' . $a->videoheight . '"><a href="' . $match[1] . '">' . $match[1] . '</a></iframe>';
}
function bb_ShareAttributesSimple($match) {
diff --git a/include/oembed.php b/include/oembed.php
index 691ef48fd..42a9881ed 100755
--- a/include/oembed.php
+++ b/include/oembed.php
@@ -164,8 +164,11 @@ function oembed_iframe($src,$width,$height) {
$a = get_app();
+ $sandbox = ((strpos($src,get_app()->get_hostname())) ? ' sandbox="allow-scripts" ' : '');
+
$s = $a->get_baseurl()."/oembed/".base64url_encode($src);
- return '<iframe sandbox="allow-scripts" height="' . $height . '" width="' . $width . '" src="' . $s . '" frameborder="no" >' . t('Embedded content') . '</iframe>';
+
+ return '<iframe ' . $sandbox . ' height="' . $height . '" width="' . $width . '" src="' . $s . '" frameborder="no" >' . t('Embedded content') . '</iframe>';
}