diff options
-rw-r--r-- | CHANGELOG.md | 3 | ||||
-rw-r--r-- | appinfo/application.php | 4 |
2 files changed, 5 insertions, 2 deletions
diff --git a/CHANGELOG.md b/CHANGELOG.md index 9819fd641..e02ffe224 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +owncloud-news (5.2.2) +* **Security**: Only allow YouTube and Vimeo to embed iframes if they use HTTPS to prevent mixed active content iframe attacks + owncloud-news (5.2.1) * **Bugfix**: Fix admin settings by using the correct config path diff --git a/appinfo/application.php b/appinfo/application.php index 749545ebb..dfbd81be4 100644 --- a/appinfo/application.php +++ b/appinfo/application.php @@ -124,8 +124,8 @@ class Application extends App { $config->set('Cache.SerializerPath', $directory); $config->set('HTML.SafeIframe', true); $config->set('URI.SafeIframeRegexp', - '%^(?:https?:)?//(' . - 'www.youtube(?:-nocookie)?.com/embed/|' . + '%^https://(?:www\.)?(' . + 'youtube(?:-nocookie)?.com/embed/|' . 'player.vimeo.com/video/)%'); //allow YouTube and Vimeo return new HTMLPurifier($config); }); |