Cool_Tools/vichan
1
0
Fork 0
mirror of https://github.com/vichan-devel/vichan.git synced 2024-11-25 16:00:22 +01:00
Code Releases Wiki Activity

Merge pull request #334 from Pashe/css-urls

Browse Source 
Board stylesheet URL filter fixes and whitelist additions
This commit is contained in:
Fredrick Brennan 2015-01-05 12:43:33 +08:00
commit 755fc1e592
1 changed files with 30 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
inc/8chan-mod-pages.php
View File

@ -520,23 +520,42 @@ EOT;
preg_match_all("#$match_urls#im", $clean_css, $matched); preg_match_all("#$match_urls#im", $clean_css, $matched);
$allowed_urls = array('https://i.imgur.com/', 'https://media.8chan.co/', 'https://a.pomf.se/', 'https://fonts.googleapis.com/', 'http://8ch.net/'); $allowed_urls = array('https://i.imgur.com/', 'https://media.8chan.co/', 'https://a.pomf.se/', 'https://fonts.googleapis.com/', 'https://fonts.gstatic.com/', 'http://8ch.net/', 'https://8chan.co/');
$error = false;
if (isset($matched[0])) { if (isset($matched[0])) {
foreach ($matched[0] as $i => $v) { foreach ($matched[0] as $match) {
$error = true; $match_okay = false;
foreach ($allowed_urls as $ii => $url) { foreach ($allowed_urls as $allowed_url) {
if (strpos($v, $url) === 0) { if (strpos($match, $allowed_url) !== false) {
$error = false; $match_okay = true;
break;
} }
} }
if ($match_okay !== true) {
error(sprintf(_("Off-site link \"%s\" is not allowed in the board stylesheet"), $match));
}
} }
} }
if ($error) { //Filter out imports from sites with potentially unsafe content
error(_('Off-site links are not allowed in board stylesheets!')); $css_no_comments = preg_replace('|\/\*.*\*\/|', '', $clean_css); //I can't figure out how to ignore comments in the match
$match_imports = '@import[^;]*';
$matched = array();
preg_match_all("#$match_imports#im", $css_no_comments, $matched);
$unsafe_import_urls = array('https://a.pomf.se/');
if (isset($matched[0])) {
foreach ($matched[0] as $match) {
$match_okay = true;
foreach ($unsafe_import_urls as $unsafe_import_url) {
if (strpos($match, $unsafe_import_url) !== false) {
$match_okay = false;
}
}
if ($match_okay !== true) {
error(sprintf(_("Potentially unsafe import \"%s\" is not allowed in the board stylesheet"), $match));
}
}
} }
$query = query('SELECT `uri`, `title`, `subtitle` FROM ``boards`` WHERE `8archive` = TRUE'); $query = query('SELECT `uri`, `title`, `subtitle` FROM ``boards`` WHERE `8archive` = TRUE');