Mahara

Use SafeIFrame feature of HTML Purifier

Bug #922360 reported by François Marier
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
Medium
François Marier
Mahara 1.5.0

Bug Description

We should look at replacing the iframe filters we have in htdocs/lib/htmlpurifiercustom/ with the new SafeIFrame feature that HTML Purifier 4.4.0 has:

  http://htmlpurifier.org/live/configdoc/plain.html#HTML.SafeIframe
  http://htmlpurifier.org/live/configdoc/plain.html#URI.SafeIframeRegexp

(This of course depends on bug #921314.)

François Marier (fmarier)
Changed in mahara:
assignee: nobody → François Marier (fmarier)
François Marier (fmarier)
Changed in mahara:
status: Confirmed → In Progress
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/1066
Committed: http://gitorious.org/mahara/mahara/commit/f4cd8d19876c1df2320c0d5ac2dc5f77e57c2e0f
Submitter: Francois Marier (<email address hidden>)
Branch: master

commit f4cd8d19876c1df2320c0d5ac2dc5f77e57c2e0f
Author: Francois Marier <email address hidden>
Date: Tue Feb 21 14:38:27 2012 +1300

    htmlpurifier: migrate custom iframe filters to URI.SafeIframeRegexp

    The new HTML.SafeIframe setting in HTML Purifier 4.4.0 allows us
    to remove our fragile custom filters.

    The regular expressions are not quite as tight, but they are
    restricted to the src attribute and HTML Purifier will hopefully
    apply the right filters.

    Bug #922360 (also fixes bug #885066)

    Change-Id: Ifaa9f13ae77b28e18df640103e205a94bc3af2d7
    Signed-off-by: Francois Marier <email address hidden>

François Marier (fmarier)
Changed in mahara:
status: In Progress → Fix Committed
Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/1126
Committed: http://gitorious.org/mahara/mahara/commit/a7e74fe9d9b23d3531ce12294dba2002d398306e
Submitter: Francois Marier (<email address hidden>)
Branch: master

commit a7e74fe9d9b23d3531ce12294dba2002d398306e
Author: Richard Mansfield <email address hidden>
Date: Wed Mar 28 11:40:18 2012 +1300

    Fix overly permissive SafeIframeRegexp in htmlpurifier (bug #922360)

    Dots in the list of safe iframe sources are not escaped before use in
    the regular expression passed to htmlpurifier, but they should be
    because of their special meaning inside patterns. This will prevent
    people from registering domains like 'www-youtube.com' and
    'playerxvimeo.com' and embedding iframes from those sites in their
    pages.

    Change-Id: I94ceedd77172cbb6650efad0ab7edfae92f5f7e8
    Signed-off-by: Richard Mansfield <email address hidden>

Revision history for this message
Mahara Bot (dev-mahara) wrote :

Reviewed: https://reviews.mahara.org/1125
Committed: http://gitorious.org/mahara/mahara/commit/8947151000b6cd11c66656884541b7b766cf707d
Submitter: Francois Marier (<email address hidden>)
Branch: 1.5_STABLE

commit 8947151000b6cd11c66656884541b7b766cf707d
Author: Richard Mansfield <email address hidden>
Date: Wed Mar 28 11:40:18 2012 +1300

    Fix overly permissive SafeIframeRegexp in htmlpurifier (bug #922360)

    Dots in the list of safe iframe sources are not escaped before use in
    the regular expression passed to htmlpurifier, but they should be
    because of their special meaning inside patterns. This will prevent
    people from registering domains like 'www-youtube.com' and
    'playerxvimeo.com' and embedding iframes from those sites in their
    pages.

    Change-Id: I94ceedd77172cbb6650efad0ab7edfae92f5f7e8
    Signed-off-by: Richard Mansfield <email address hidden>

Kristina Hoeppner (kris-hoeppner)
tags: added: newfeature
Melissa Draper (melissa)
Changed in mahara:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.