summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--CHANGELOG5
-rw-r--r--dependencyinjection/dicontainer.php3
2 files changed, 8 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG
index fdc361ef2..733f1514f 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,3 +1,8 @@
+ownCloud-news (0.97)
+
+* Fix XSS vulnerability in sanitation
+* Properly show embedded vimeo and youtube videos
+
ownCloud-news (0.96)
* Always open links in new tabs
diff --git a/dependencyinjection/dicontainer.php b/dependencyinjection/dicontainer.php
index b1f8855ca..71a0779bd 100644
--- a/dependencyinjection/dicontainer.php
+++ b/dependencyinjection/dicontainer.php
@@ -94,6 +94,9 @@ class DIContainer extends BaseContainer {
$config = \HTMLPurifier_Config::createDefault();
$config->set('Cache.SerializerPath', $directory);
+ $config->set('HTML.SafeIframe', true);
+ $config->set('URI.SafeIframeRegexp',
+ '%^http://(www.youtube(?:-nocookie)?.com/embed/|player.vimeo.com/video/)%'); //allow YouTube and Vimeo
return new \HTMLPurifier($config);
});