From 44d7047fce57085fe63ad5e1088911e9fc07a32e Mon Sep 17 00:00:00 2001
From: friendica <info@friendica.com>
Date: Thu, 20 Feb 2014 21:15:35 -0800
Subject: SECURITY: do not automatically open an iframe which points into the
 local website.

---
 doc/To-Do-Code.md  | 2 ++
 include/bbcode.php | 9 ++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/doc/To-Do-Code.md b/doc/To-Do-Code.md
index 5804801b4..b13689d5e 100644
--- a/doc/To-Do-Code.md
+++ b/doc/To-Do-Code.md
@@ -7,6 +7,8 @@ We need much more than this, but here are areas where developers can help. Pleas
 
 * Documentation - see [Red Documentation Project To-Do List](help/To-Do)
 
+* Infinite scroll to the directory pages
+
 * Finish the anti-spam bayesian engine
 
 * Integrate the "open site" list with the register page
diff --git a/include/bbcode.php b/include/bbcode.php
index 1969f8444..8bbf7ae01 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -227,6 +227,13 @@ function bb_location($match) {
 	// not yet implemented
 }
 
+function bbiframe($match) {
+	$a = get_app();
+	if(strpos($match[1],get_app()->get_hostname()))
+		return '<a href="' . $match[1] . '">' . $match[1] . '</a>';
+	return '<iframe src="' . $match[1] . '" width="' . $a->videowidth . '" height="' . $a->videoheight . '"><a href="' . $match[1] . '">' . $match[1] . '</a></iframe>';
+}
+
 function bb_ShareAttributesSimple($match) {
 
 	$attributes = $match[1];
@@ -677,7 +684,7 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true) {
 
 	if ($tryoembed){
 		if (strpos($Text,'[/iframe]') !== false) {
-			$Text = preg_replace("/\[iframe\](.*?)\[\/iframe\]/ism", '<iframe src="$1" width="' . $a->videowidth . '" height="' . $a->videoheight . '"><a href="$1">$1</a></iframe>', $Text);
+			$Text = preg_replace_callback("/\[iframe\](.*?)\[\/iframe\]/ism", 'bbiframe', $Text);
 		}
 	}
 	else {
-- 
cgit v1.2.3