From 7c4b72e820ba2a04aaf3b4389714c30bfa284bcd Mon Sep 17 00:00:00 2001
From: Bernhard Posselt <dev@bernhard-posselt.com>
Date: Mon, 2 Feb 2015 23:23:30 +0100
Subject: only allow iframe https content

---
 CHANGELOG.md            | 3 +++
 appinfo/application.php | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9819fd641..e02ffe224 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,6 @@
+owncloud-news (5.2.2)
+* **Security**: Only allow YouTube and Vimeo to embed iframes if they use HTTPS to prevent mixed active content iframe attacks
+
 owncloud-news (5.2.1)
 * **Bugfix**: Fix admin settings by using the correct config path
 
diff --git a/appinfo/application.php b/appinfo/application.php
index 749545ebb..dfbd81be4 100644
--- a/appinfo/application.php
+++ b/appinfo/application.php
@@ -124,8 +124,8 @@ class Application extends App {
             $config->set('Cache.SerializerPath', $directory);
             $config->set('HTML.SafeIframe', true);
             $config->set('URI.SafeIframeRegexp',
-                '%^(?:https?:)?//(' .
-                'www.youtube(?:-nocookie)?.com/embed/|' .
+                '%^https://(?:www\.)?(' .
+                'youtube(?:-nocookie)?.com/embed/|' .
                 'player.vimeo.com/video/)%'); //allow YouTube and Vimeo
             return new HTMLPurifier($config);
         });
-- 
cgit v1.2.3