fix(embed): only allow iframe, video and audio tags in embed html

Fixes #14
hypeJunction · Oct 14, 2016 · cd23401 · cd23401
1 parent ebed75f
commit cd23401
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 1 deletion.
diff --git a/classes/hypeJunction/Scraper/Views.php b/classes/hypeJunction/Scraper/Views.php
@@ -137,7 +137,7 @@ public static function addBookmarkProfilePreview($hook, $type, $return, $params)
 	 * Linkify longtext output
 	 *
 	 * @param string $hook   "view"
-	 * @param string $type   "output/longtext""
+	 * @param string $type   "output/longtext"
 	 * @param array  $return View vars
 	 * @param array  $params Hook params
 	 * @return array
@@ -149,4 +149,24 @@ public static function linkifyLongtext($hook, $type, $return, $params) {
 		return hypeapps_linkify_tokens($return, $params['vars']);
 	}
 
+	/**
+	 * Filter parsed metatags
+	 *
+	 * @param string $hook   "parse"
+	 * @param string $type   "framework/scraper"
+	 * @param array  $return Data
+	 * @param array  $params Hook params
+	 * @return array
+	 */
+	public static function cleanEmbedHTML($hook, $type, $return, $params) {
+
+		if (!empty($return['html'])) {
+			// only allow iframe, video, and audio tags
+			if (!preg_match('/<iframe|video|audio/i', $return['html'])) {
+				unset($return['html']);
+			}
+		}
+
+		return $return;
+	}
 }
diff --git a/start.php b/start.php
@@ -30,6 +30,8 @@
 	}
 
 	elgg_register_plugin_hook_handler('view', 'output/longtext', [Views::class, 'linkifyLongtext']);
+
+	elgg_register_plugin_hook_handler('parse', 'framework:scraper', [Views::class, 'cleanEmbedHTML']);
 
 });