servers
/
ttrss
mirror of https://tt-rss.org/git/tt-rss.git
1
0
Fork 0
Code Issues Releases Wiki Activity

sanitize: remove srcset plain-http hack, globally disallow width and height attributes for all elements

This commit is contained in:
Andrew Dolgov 2020-04-29 19:04:34 +03:00
parent 83c8834421
commit 7d9dd51cf4
1 changed files with 1 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
include/functions.php
View File

@ -1283,24 +1283,6 @@
if ($entry->nodeName == 'img') {
$entry->setAttribute('referrerpolicy', 'no-referrer');
$entry->setAttribute('loading', 'lazy');
$entry->removeAttribute('width');
$entry->removeAttribute('height');
if ($entry->hasAttribute('src')) {
$is_https_url = parse_url($entry->getAttribute('src'), PHP_URL_SCHEME) === 'https';
if (is_prefix_https() && !$is_https_url) {
if ($entry->hasAttribute('srcset')) {
$entry->removeAttribute('srcset');
}
if ($entry->hasAttribute('sizes')) {
$entry->removeAttribute('sizes');
}
}
}
}
if ($entry->hasAttribute('srcset')) {
@ -1379,7 +1361,7 @@
if ($_SESSION['hasSandbox']) $allowed_elements[] = 'iframe';
$disallowed_attributes = array('id', 'style', 'class');
$disallowed_attributes = array('id', 'style', 'class', 'width', 'height');
foreach (PluginHost::getInstance()->get_hooks(PluginHost::HOOK_SANITIZE) as $plugin) {
$retval = $plugin->hook_sanitize($doc, $site_url, $allowed_elements, $disallowed_attributes, $article_id);