Support contrôlé de iframe, audio, video

Et filtrage de object, embed
https://github.com/marienfressinaud/FreshRSS/issues/188

On ajoute un paramètre preload="none" à audio et video, ainsi qu'un
paramètre sandbox="allow-scripts allow-same-origin" aux iframe.

On interdit les paramètres autoplay et seamless de audio et video.

Ré-écriture des URLS de l'attribut poster de video, ainsi que de
l'attribut src de iframe.
Suite de https://github.com/marienfressinaud/FreshRSS/issues/267

Au passage, filtrage du vieil élément PLAINTEXT.

Modifications dans SimplePie.

2 files changed, 56 insertions, 13 deletions

diff --git a/app/models/Feed.php b/app/models/Feed.php
index 555759c9a..88833c706 100644
--- a/app/models/Feed.php
+++ b/app/models/Feed.php
@@ -204,15 +204,15 @@ class Feed extends Model {
 				$feed->set_cache_location (CACHE_PATH);
 				$feed->set_cache_duration(1500);
 				$feed->strip_htmltags (array (
-					'base', 'blink', 'body', 'doctype',
+					'base', 'blink', 'body', 'doctype', 'embed',
 					'font', 'form', 'frame', 'frameset', 'html',
 					'input', 'marquee', 'meta', 'noscript',
-					'param', 'script', 'style'
+					'object', 'param', 'plaintext', 'script', 'style',
 				));
 				$feed->strip_attributes(array_merge($feed->strip_attributes, array(
-					'onload', 'onunload', 'onclick', 'ondblclick', 'onmousedown', 'onmouseup',
+					'autoplay', 'onload', 'onunload', 'onclick', 'ondblclick', 'onmousedown', 'onmouseup',
 					'onmouseover', 'onmousemove', 'onmouseout', 'onfocus', 'onblur',
-					'onkeypress', 'onkeydown', 'onkeyup', 'onselect', 'onchange')));
+					'onkeypress', 'onkeydown', 'onkeyup', 'onselect', 'onchange', 'seamless')));
 				$feed->set_url_replacements(array(
 					'a' => 'href',
 					'area' => 'href',
@@ -220,6 +220,7 @@ class Feed extends Model {
 					'blockquote' => 'cite',
 					'del' => 'cite',
 					'form' => 'action',
+					'iframe' => 'src',
 					'img' => array(
 						'longdesc',
 						'src'
@@ -229,7 +230,10 @@ class Feed extends Model {
 					'q' => 'cite',
 					'source' => 'src',
 					'track' => 'src',
-					'video' => 'src',
+					'video' => array(
+						'poster',
+						'src',
+					),
 				));
 				$feed->init ();
 
@@ -581,7 +585,7 @@ class HelperFeed {
 			$myFeed = new Feed (isset($dao['url']) ? $dao['url'] : '', false);
 			$myFeed->_category ($catID === null ? $dao['category'] : $catID);
 			$myFeed->_name ($dao['name']);
-			$myFeed->_website ($dao['website']);
+			$myFeed->_website ($dao['website'], false);
 			$myFeed->_description (isset($dao['description']) ? $dao['description'] : '');
 			$myFeed->_lastUpdate (isset($dao['lastUpdate']) ? $dao['lastUpdate'] : 0);
 			$myFeed->_priority ($dao['priority']);
diff --git a/lib/SimplePie/SimplePie/Sanitize.php b/lib/SimplePie/SimplePie/Sanitize.php
index 83a274ced..0974c150d 100644
--- a/lib/SimplePie/SimplePie/Sanitize.php
+++ b/lib/SimplePie/SimplePie/Sanitize.php
@@ -62,6 +62,7 @@ class SimplePie_Sanitize
 	var $strip_htmltags = array('base', 'blink', 'body', 'doctype', 'embed', 'font', 'form', 'frame', 'frameset', 'html', 'iframe', 'input', 'marquee', 'meta', 'noscript', 'object', 'param', 'script', 'style');
 	var $encode_instead_of_strip = false;
 	var $strip_attributes = array('bgsound', 'class', 'expr', 'id', 'style', 'onclick', 'onerror', 'onfinish', 'onmouseover', 'onmouseout', 'onfocus', 'onblur', 'lowsrc', 'dynsrc');
+	var $add_attributes = array('audio' => array('preload' => 'none'), 'iframe' => array('sandbox' => 'allow-scripts allow-same-origin'), 'video' => array('preload' => 'none'));	//FreshRSS
 	var $strip_comments = false;
 	var $output_encoding = 'UTF-8';
 	var $enable_cache = true;
@@ -179,6 +180,25 @@ class SimplePie_Sanitize
 		}
 	}
 
+	public function add_attributes($attribs = array('audio' => array('preload' => 'none'), 'iframe' => array('sandbox' => 'allow-scripts allow-same-origin'), 'video' => array('preload' => 'none')))
+	{
+		if ($attribs)
+		{
+			if (is_array($attribs))
+			{
+				$this->add_attributes = $attribs;
+			}
+			else
+			{
+				$this->add_attributes = explode(',', $attribs);
+			}
+		}
+		else
+		{
+			$this->add_attributes = false;
+		}
+	}
+
 	public function strip_comments($strip = false)
 	{
 		$this->strip_comments = (bool) $strip;
@@ -255,10 +275,11 @@ class SimplePie_Sanitize
 				$document->loadHTML($data);
 				restore_error_handler();
 
+				$xpath = new DOMXPath($document);	//FreshRSS
+
 				// Strip comments
 				if ($this->strip_comments)
 				{
-					$xpath = new DOMXPath($document);
 					$comments = $xpath->query('//comment()');
 
 					foreach ($comments as $comment)
@@ -274,7 +295,7 @@ class SimplePie_Sanitize
 				{
 					foreach ($this->strip_htmltags as $tag)
 					{
-						$this->strip_tag($tag, $document, $type);
+						$this->strip_tag($tag, $document, $xpath, $type);
 					}
 				}
 
@@ -282,7 +303,15 @@ class SimplePie_Sanitize
 				{
 					foreach ($this->strip_attributes as $attrib)
 					{
-						$this->strip_attr($attrib, $document);
+						$this->strip_attr($attrib, $xpath);
+					}
+				}
+
+				if ($this->add_attributes)
+				{
+					foreach ($this->add_attributes as $tag => $valuePairs)
+					{
+						$this->add_attr($tag, $valuePairs, $document);
 					}
 				}
 
@@ -452,9 +481,8 @@ class SimplePie_Sanitize
 		}
 	}
 
-	protected function strip_tag($tag, $document, $type)
+	protected function strip_tag($tag, $document, $xpath, $type)
 	{
-		$xpath = new DOMXPath($document);
 		$elements = $xpath->query('body//' . $tag);
 		if ($this->encode_instead_of_strip)
 		{
@@ -537,9 +565,8 @@ class SimplePie_Sanitize
 		}
 	}
 
-	protected function strip_attr($attrib, $document)
+	protected function strip_attr($attrib, $xpath)
 	{
-		$xpath = new DOMXPath($document);
 		$elements = $xpath->query('//*[@' . $attrib . ']');
 
 		foreach ($elements as $element)
@@ -547,4 +574,16 @@ class SimplePie_Sanitize
 			$element->removeAttribute($attrib);
 		}
 	}
+
+	protected function add_attr($tag, $valuePairs, $document)
+	{
+		$elements = $document->getElementsByTagName($tag);
+		foreach ($elements as $element)
+		{
+			foreach ($valuePairs as $attrib => $value)
+			{
+				$element->setAttribute($attrib, $value);
+			}
+		}
+	}
 }