From d15f0349bf1671d3b3704f728372b7fb3f4045bd Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Wed, 27 Nov 2019 11:52:51 +0300 Subject: [PATCH] remove hardcoded iframe domain whitelist, make iframe script whitelisting configurable by plugins (HOOK_IFRAME_WHITELISTED) --- classes/pluginhost.php | 1 + include/functions.php | 6 ++---- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/classes/pluginhost.php b/classes/pluginhost.php index ac782e699..6158880f2 100755 --- a/classes/pluginhost.php +++ b/classes/pluginhost.php @@ -61,6 +61,7 @@ class PluginHost { const HOOK_GET_FULL_TEXT = 41; const HOOK_ARTICLE_IMAGE = 42; const HOOK_FEED_TREE = 43; + const HOOK_IFRAME_WHITELISTED = 44; const KIND_ALL = 1; const KIND_SYSTEM = 2; diff --git a/include/functions.php b/include/functions.php index c152454b9..0f5464990 100644 --- a/include/functions.php +++ b/include/functions.php @@ -1250,13 +1250,11 @@ } function iframe_whitelisted($entry) { - $whitelist = array("youtube.com", "youtu.be", "vimeo.com", "player.vimeo.com"); - @$src = parse_url($entry->getAttribute("src"), PHP_URL_HOST); if ($src) { - foreach ($whitelist as $w) { - if ($src == $w || $src == "www.$w") + foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_IFRAME_WHITELISTED) as $plugin) { + if ($plugin->hook_iframe_whitelisted($src)) return true; } }