diff options
| author | Andrew Dolgov <[email protected]> | 2020-04-29 19:04:34 +0300 |
|---|---|---|
| committer | Andrew Dolgov <[email protected]> | 2020-04-29 19:04:34 +0300 |
| commit | 7d9dd51cf4ac5947bbf15ff5d2b263ec8e1f72e9 (patch) | |
| tree | 2c9976f731e1b67b9574b406b3815aa184e4c3af | |
| parent | 83c8834421a5b16b54136bb3c23c3e817be967c0 (diff) | |
sanitize: remove srcset plain-http hack, globally disallow width and height attributes for all elements
| -rw-r--r-- | include/functions.php | 20 |
1 files changed, 1 insertions, 19 deletions
diff --git a/include/functions.php b/include/functions.php index 532e48139..da409ed01 100644 --- a/include/functions.php +++ b/include/functions.php @@ -1283,24 +1283,6 @@ if ($entry->nodeName == 'img') { $entry->setAttribute('referrerpolicy', 'no-referrer'); $entry->setAttribute('loading', 'lazy'); - - $entry->removeAttribute('width'); - $entry->removeAttribute('height'); - - if ($entry->hasAttribute('src')) { - $is_https_url = parse_url($entry->getAttribute('src'), PHP_URL_SCHEME) === 'https'; - - if (is_prefix_https() && !$is_https_url) { - - if ($entry->hasAttribute('srcset')) { - $entry->removeAttribute('srcset'); - } - - if ($entry->hasAttribute('sizes')) { - $entry->removeAttribute('sizes'); - } - } - } } if ($entry->hasAttribute('srcset')) { @@ -1379,7 +1361,7 @@ if ($_SESSION['hasSandbox']) $allowed_elements[] = 'iframe'; - $disallowed_attributes = array('id', 'style', 'class'); + $disallowed_attributes = array('id', 'style', 'class', 'width', 'height'); foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_SANITIZE) as $plugin) { $retval = $plugin->hook_sanitize($doc, $site_url, $allowed_elements, $disallowed_attributes, $article_id); |