mirror/FreshRSS
0
0
Fork 0
mirror of https://github.com/FreshRSS/FreshRSS.git synced 2026-03-29 03:32:53 -04:00
Code Issues Packages Projects Releases Wiki Activity

Disallow iframe srcdoc for now (#7494)

Browse Source 
We do not sanitize this attribute well enough, so striped for now.
It is rarely used: I have not seen any use of it in any of my many test feeds.
Can be added back when we can handle its inherent security issues better.
This commit is contained in:
Alexandre Alapetite
2025-04-06 00:47:45 +02:00
committed by GitHub
parent d858053a7c
commit 54e2f9107d
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/lib_rss.php
View File

@@ -350,7 +350,7 @@ function customSimplePie(array $attributes = [], array $curl_options = []): \Sim
$simplePie->strip_attributes(array_merge($simplePie->strip_attributes, [
'autoplay', 'class', 'onload', 'onunload', 'onclick', 'ondblclick', 'onmousedown', 'onmouseup',
'onmouseover', 'onmousemove', 'onmouseout', 'onfocus', 'onblur',
'onkeypress', 'onkeydown', 'onkeyup', 'onselect', 'onchange', 'seamless', 'sizes', 'srcset']));
'onkeypress', 'onkeydown', 'onkeyup', 'onselect', 'onchange', 'seamless', 'sizes', 'srcdoc', 'srcset']));
$simplePie->add_attributes([
'audio' => ['controls' => 'controls', 'preload' => 'none'],
'iframe' => [