diff options
author | Bernhard Posselt <dev@bernhard-posselt.com> | 2015-01-27 09:17:15 +0100 |
---|---|---|
committer | Bernhard Posselt <dev@bernhard-posselt.com> | 2015-01-27 09:17:15 +0100 |
commit | fe3969f3759998d3f567a6769535640be69ea1e9 (patch) | |
tree | 774efc15376860697c0648e49bf8066317b0d118 /articleenhancer | |
parent | 32ec52747b7f2e25df273471bc6be480aa2dcca9 (diff) |
remove xxe checks for loadHML since it is apparenly no possible to exploit it
Diffstat (limited to 'articleenhancer')
-rw-r--r-- | articleenhancer/globalarticleenhancer.php | 11 | ||||
-rw-r--r-- | articleenhancer/xpatharticleenhancer.php | 20 |
2 files changed, 14 insertions, 17 deletions
diff --git a/articleenhancer/globalarticleenhancer.php b/articleenhancer/globalarticleenhancer.php index 1939ca41c..004d92a9f 100644 --- a/articleenhancer/globalarticleenhancer.php +++ b/articleenhancer/globalarticleenhancer.php @@ -13,7 +13,8 @@ namespace OCA\News\ArticleEnhancer; -use \ZendXml\Security; +use DomDocument; +use DOMXpath; use \OCA\News\Db\Item; @@ -26,17 +27,15 @@ class GlobalArticleEnhancer implements ArticleEnhancer { */ public function enhance(Item $item) { - $dom = new \DOMDocument(); + $dom = new DOMDocument(); // wrap it inside a div if there is none to prevent invalid wrapping // inside <p> tags $body = '<div>' . $item->getBody() . '</div>'; - $isOk = Security::scanHtml( - $body, $dom, LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD - ); + @$dom->loadHTML($body, LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD); - $xpath = new \DOMXpath($dom); + $xpath = new DOMXpath($dom); // remove youtube autoplay // NOTE: PHP supports only XPath 1.0 so no matches() function :( diff --git a/articleenhancer/xpatharticleenhancer.php b/articleenhancer/xpatharticleenhancer.php index 42b2edf0c..67fbf78d2 100644 --- a/articleenhancer/xpatharticleenhancer.php +++ b/articleenhancer/xpatharticleenhancer.php @@ -13,15 +13,15 @@ namespace OCA\News\ArticleEnhancer; -use \DOMDocument; -use \DOMXpath; +use DOMDocument; +use DOMXpath; -use \ZendXml\Security; -use \PicoFeed\Encoding\Encoding; +use PicoFeed\Encoding\Encoding; -use \OCA\News\Utility\PicoFeedClientFactory; +use OCA\News\Utility\PicoFeedClientFactory; + +use OCA\News\Db\Item; -use \OCA\News\Db\Item; class XPathArticleEnhancer implements ArticleEnhancer { @@ -72,8 +72,7 @@ class XPathArticleEnhancer implements ArticleEnhancer { } $dom = new DOMDocument(); - - $isOk = Security::scanHtml($body, $dom); + @$dom->loadHTML($body); $xpath = new DOMXpath($dom); $xpathResult = $xpath->evaluate($search); @@ -127,9 +126,8 @@ class XPathArticleEnhancer implements ArticleEnhancer { } $xmlString = '<div>' . $xmlString . '</div>'; - $isOk = Security::scanHtml( - $xmlString, $dom, LIBXML_HTML_NOIMPLIED | LIBXML_HTML_NODEFDTD - ); + $isOk = @$dom->loadHTML($xmlString, LIBXML_HTML_NOIMPLIED | + LIBXML_HTML_NODEFDTD); if(!$isOk) { return false; |