diff options
| author | Bernhard Posselt <dev@bernhard-posselt.com> | 2015-02-02 23:23:30 +0100 |
|---|---|---|
| committer | Bernhard Posselt <dev@bernhard-posselt.com> | 2015-02-05 15:24:32 +0100 |
| commit | 7c4b72e820ba2a04aaf3b4389714c30bfa284bcd (patch) | |
| tree | ed9f3d2ca5a11a97b207d0d4b276879ba62b55a0 | |
| parent | b02ea08db40dae100cd927b22afa8d349570c57e (diff) | |
only allow iframe https content
| -rw-r--r-- | CHANGELOG.md | 3 | ||||
| -rw-r--r-- | appinfo/application.php | 4 |
2 files changed, 5 insertions, 2 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 9819fd641..e02ffe224 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +owncloud-news (5.2.2) +* **Security**: Only allow YouTube and Vimeo to embed iframes if they use HTTPS to prevent mixed active content iframe attacks + owncloud-news (5.2.1) * **Bugfix**: Fix admin settings by using the correct config path diff --git a/appinfo/application.php b/appinfo/application.php index 749545ebb..dfbd81be4 100644 --- a/appinfo/application.php +++ b/appinfo/application.php @@ -124,8 +124,8 @@ class Application extends App { $config->set('Cache.SerializerPath', $directory); $config->set('HTML.SafeIframe', true); $config->set('URI.SafeIframeRegexp', - '%^(?:https?:)?//(' . - 'www.youtube(?:-nocookie)?.com/embed/|' . + '%^https://(?:www\.)?(' . + 'youtube(?:-nocookie)?.com/embed/|' . 'player.vimeo.com/video/)%'); //allow YouTube and Vimeo return new HTMLPurifier($config); }); |