diff options
| author |  Alexandre Alapetite <alexandre@alapetite.fr>
| 2024-04-11 08:48:50 +0200 |
|---|---|---|
| committer |  GitHub <noreply@github.com>
| 2024-04-11 08:48:50 +0200 |
| commit | 7aaed6092f09b73b2deb7e32a1fed9b776c0202d (patch) | |
| tree | 900c9284e458b7b1b4acd1a6565d322cce9541e6 /lib/lib_rss.php | |
| parent | 30f147410d30deb0433ca53a9eec29c7b477e382 (diff) | |
SimplePie replace iframe allow attribute (#6274)
* SimplePie strip iframe allow attribute
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#allow
Besides security, the `allow autoplay` atttribute is especially problematic on mobile (Firefox on Android) as it asks to open the YouTube app as soon as the article is opened.
Example of code before:
```html
<iframe data-original="https://www.youtube.com/embed/??????feature=oembed" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" referrerpolicy="strict-origin-when-cross-origin" allowfullscreen="" sandbox="allow-scripts allow-same-origin"></iframe>
```
* Replace allow attribute
* Allow more
Diffstat (limited to 'lib/lib_rss.php')
| -rw-r--r-- | lib/lib_rss.php | 37 |
1 files changed, 20 insertions, 17 deletions
diff --git a/lib/lib_rss.php b/lib/lib_rss.php index 4ce9e7bfd..7e4b7732e 100644 --- a/lib/lib_rss.php +++ b/lib/lib_rss.php @@ -335,24 +335,27 @@ function customSimplePie(array $attributes = [], array $curl_options = []): Simp $simplePie->set_curl_options($curl_options); $simplePie->strip_comments(true); - $simplePie->strip_htmltags(array( + $simplePie->strip_htmltags([ 'base', 'blink', 'body', 'doctype', 'embed', 'font', 'form', 'frame', 'frameset', 'html', 'link', 'input', 'marquee', 'meta', 'noscript', 'object', 'param', 'plaintext', 'script', 'style', 'svg', //TODO: Support SVG after sanitizing and URL rewriting of xlink:href - )); - $simplePie->rename_attributes(array('id', 'class')); - $simplePie->strip_attributes(array_merge($simplePie->strip_attributes, array( + ]); + $simplePie->rename_attributes(['id', 'class']); + $simplePie->strip_attributes(array_merge($simplePie->strip_attributes, [ 'autoplay', 'class', 'onload', 'onunload', 'onclick', 'ondblclick', 'onmousedown', 'onmouseup', 'onmouseover', 'onmousemove', 'onmouseout', 'onfocus', 'onblur', - 'onkeypress', 'onkeydown', 'onkeyup', 'onselect', 'onchange', 'seamless', 'sizes', 'srcset'))); - $simplePie->add_attributes(array( - 'audio' => array('controls' => 'controls', 'preload' => 'none'), - 'iframe' => array('sandbox' => 'allow-scripts allow-same-origin'), - 'video' => array('controls' => 'controls', 'preload' => 'none'), - )); - $simplePie->set_url_replacements(array( + 'onkeypress', 'onkeydown', 'onkeyup', 'onselect', 'onchange', 'seamless', 'sizes', 'srcset'])); + $simplePie->add_attributes([ + 'audio' => ['controls' => 'controls', 'preload' => 'none'], + 'iframe' => [ + 'allow' => 'accelerometer; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share', + 'sandbox' => 'allow-scripts allow-same-origin', + ], + 'video' => ['controls' => 'controls', 'preload' => 'none'], + ]); + $simplePie->set_url_replacements([ 'a' => 'href', 'area' => 'href', 'audio' => 'src', @@ -360,21 +363,21 @@ function customSimplePie(array $attributes = [], array $curl_options = []): Simp 'del' => 'cite', 'form' => 'action', 'iframe' => 'src', - 'img' => array( + 'img' => [ 'longdesc', 'src' - ), + ], 'input' => 'src', 'ins' => 'cite', 'q' => 'cite', 'source' => 'src', 'track' => 'src', - 'video' => array( + 'video' => [ 'poster', 'src', - ), - )); - $https_domains = array(); + ], + ]); + $https_domains = []; $force = @file(FRESHRSS_PATH . '/force-https.default.txt', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES); if (is_array($force)) { $https_domains = array_merge($https_domains, $force); |