diff options
| -rw-r--r-- | classes/api.php | 5 | ||||
| -rw-r--r-- | include/functions2.php | 19 |
2 files changed, 22 insertions, 2 deletions
diff --git a/classes/api.php b/classes/api.php index 730e20ab9..b9b1a7aa3 100644 --- a/classes/api.php +++ b/classes/api.php @@ -2,7 +2,7 @@ class API extends Handler { - const API_LEVEL = 9; + const API_LEVEL = 10; const STATUS_OK = 0; const STATUS_ERR = 1; @@ -201,6 +201,9 @@ class API extends Handler { $sanitize_content = !isset($_REQUEST["sanitize"]) || sql_bool_to_bool($_REQUEST["sanitize"]); $force_update = sql_bool_to_bool($_REQUEST["force_update"]); + $has_sandbox = sql_bool_to_bool($_REQUEST["has_sandbox"]); + + $_SESSION['hasSandbox'] = $has_sandbox; $override_order = false; switch ($_REQUEST["order_by"]) { diff --git a/include/functions2.php b/include/functions2.php index 672373e6d..866c92ec9 100644 --- a/include/functions2.php +++ b/include/functions2.php @@ -826,6 +826,21 @@ } + function iframe_whitelisted($entry) { + $whitelist = array("youtube.com", "youtu.be", "vimeo.com"); + + @$src = parse_url($entry->getAttribute("src"), PHP_URL_HOST); + + if ($src) { + foreach ($whitelist as $w) { + if ($src == $w || $src == "www.$w") + return true; + } + } + + return false; + } + function sanitize($str, $force_remove_images = false, $owner = false, $site_url = false, $highlight_words = false, $article_id = false) { if (!$owner) $owner = $_SESSION["uid"]; @@ -894,7 +909,9 @@ $entries = $xpath->query('//iframe'); foreach ($entries as $entry) { - $entry->setAttribute('sandbox', 'allow-scripts'); + if (!iframe_whitelisted($entry)) { + $entry->setAttribute('sandbox', 'allow-scripts'); + } } |