diff --git a/controllers/Parse.php b/controllers/Parse.php index 49f00af..c5ecfff 100644 --- a/controllers/Parse.php +++ b/controllers/Parse.php @@ -71,6 +71,10 @@ class Parse { $opts['include-mf1'] = $request->get('include-mf1') == 'false' ? false : true; } + if($request->get('allow-iframe-video')) { + $opts['allowIframeVideo'] = $request->get('allow-iframe-video') == 'true'; + } + $url = $request->get('url'); $html = $request->get('html') ?: $request->get('body'); diff --git a/lib/XRay/Formats/Format.php b/lib/XRay/Formats/Format.php index 0042f40..a741552 100644 --- a/lib/XRay/Formats/Format.php +++ b/lib/XRay/Formats/Format.php @@ -67,6 +67,16 @@ abstract class Format implements iFormat { $config = HTMLPurifier_Config::createDefault(); $config->set('Cache.DefinitionImpl', null); + + if (\p3k\XRay\allow_iframe_video()) { + $allowed[] = 'iframe'; + $config->set('HTML.SafeIframe', true); + $config->set('URI.SafeIframeRegexp', '%^(https?:)?//(www\.youtube(?:-nocookie)?\.com/embed/|player\.vimeo\.com/video/)%'); + $config->set('AutoFormat.RemoveEmpty', true); + // Removes iframe in case it has no src. This strips the non-allowed domains. + $config->set('AutoFormat.RemoveEmpty.Predicate', array('iframe' => array(0 => 'src'))); + } + $config->set('HTML.AllowedElements', $allowed); if($baseURL) { diff --git a/lib/XRay/Parser.php b/lib/XRay/Parser.php index 28886b8..f34f0aa 100644 --- a/lib/XRay/Parser.php +++ b/lib/XRay/Parser.php @@ -12,6 +12,8 @@ class Parser { } public function parse($http_response, $opts=[]) { + $allowIframeVideo = isset($opts['allowIframeVideo']) ? $opts['allowIframeVideo'] : false; + allow_iframe_video($allowIframeVideo); $document = $this->parse_document($http_response, $opts); // If a target parameter was provided, make sure a link to it exists in the parsed document diff --git a/lib/helpers.php b/lib/helpers.php index 8a90a9c..b96f324 100644 --- a/lib/helpers.php +++ b/lib/helpers.php @@ -58,3 +58,12 @@ function phpmf2_version() { } return $version; } + +function allow_iframe_video($value = NULL) { + static $allow_iframe_video = false; + + if (isset($value)) + $allow_iframe_video = $value; + + return $allow_iframe_video; +} \ No newline at end of file diff --git a/tests/SanitizeTest.php b/tests/SanitizeTest.php index 318f7fd..ff86a5b 100644 --- a/tests/SanitizeTest.php +++ b/tests/SanitizeTest.php @@ -115,6 +115,23 @@ class SanitizeTest extends PHPUnit_Framework_TestCase { $this->assertEquals('This content has some HTML escaped entities such as & ampersand, " quote, escaped <code> HTML tags, an ümlaut, an @at sign.', $data['data']['content']['html']); } + public function testAllowIframeVideo() { + $url = 'http://sanitize.example/entry-with-iframe-video'; + $response = $this->parse(['url' => $url]); + $body = $response->getContent(); + $data = json_decode($body, true); + $html = $data['data']['content']['html']; + $this->assertNotContains('parse(['url' => $url, 'allow-iframe-video' => 'true']); + $body = $response->getContent(); + $data = json_decode($body, true); + $html = $data['data']['content']['html']; + $this->assertContains('youtube.com', $html); + $this->assertNotContains('https://attack-domain.com', $html); + $this->assertNotContains('parse(['url' => $url]); diff --git a/tests/data/sanitize.example/entry-with-iframe-video b/tests/data/sanitize.example/entry-with-iframe-video new file mode 100644 index 0000000..01c0164 --- /dev/null +++ b/tests/data/sanitize.example/entry-with-iframe-video @@ -0,0 +1,19 @@ +HTTP/1.1 200 OK +Server: Apache +Date: Wed, 09 Dec 2015 03:29:14 GMT +Content-Type: text/html; charset=utf-8 +Connection: keep-alive + + + + Test + + + + This is a nice video! + + This is a not a nice video! + + + +
This is a nice video!
This is a not a nice video!