tyler.durden/icingaweb2
1
0
Fork 0
mirror of https://github.com/Icinga/icingaweb2.git synced 2025-07-25 23:04:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4654 from Icinga/fix/do-not-load-any-user-links-in-iframes-4637

Browse Source 
Do not load any user links in iframes
This commit is contained in:
Johannes Meyer 2022-02-04 16:17:02 +01:00 committed by GitHub
commit f0892799ff
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 9 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
library/Icinga/Web/Helper/Markdown/LinkTransformer.php
View File

@ -5,26 +5,10 @@ namespace Icinga\Web\Helper\Markdown;
use HTMLPurifier_AttrTransform; use HTMLPurifier_AttrTransform;
use HTMLPurifier_Config; use HTMLPurifier_Config;
use ipl\Stdlib\Str;
use ipl\Web\Url; use ipl\Web\Url;
class LinkTransformer extends HTMLPurifier_AttrTransform class LinkTransformer extends HTMLPurifier_AttrTransform
{ {
/**
* Link targets with such a file extension are not loaded by an iFrame
*
* @var string[]
*/
public static $NON_IFRAME_FILES = [
'html',
'htm',
'php',
'svg',
'aspx',
'cshtml',
'vbhtml'
];
/** /**
* Link targets that are considered to have a thumbnail * Link targets that are considered to have a thumbnail
* *
@ -48,23 +32,25 @@ class LinkTransformer extends HTMLPurifier_AttrTransform
} }
$url = Url::fromPath($attr['href']); $url = Url::fromPath($attr['href']);
$fileName = basename($url->getPath());
list($_, $ext) = Str::symmetricSplit($url->getPath(), '.', 2); $ext = null;
if (($extAt = strrpos($fileName, '.')) !== false) {
$ext = substr($fileName, $extAt + 1);
}
$hasThumbnail = $ext !== null && in_array($ext, static::$IMAGE_FILES, true); $hasThumbnail = $ext !== null && in_array($ext, static::$IMAGE_FILES, true);
$useIframe = $ext !== null && ! in_array($ext, static::$NON_IFRAME_FILES, true);
if ($hasThumbnail) { if ($hasThumbnail) {
// I would have liked to not only base this off of the extension, but also by // I would have liked to not only base this off of the extension, but also by
// whether there is an actual img tag inside the anchor. Seems not possible :( // whether there is an actual img tag inside the anchor. Seems not possible :(
$attr['class'] = 'with-thumbnail'; $attr['class'] = 'with-thumbnail';
} }
if ((! isset($attr['target']) || ! in_array($attr['target'], ['_blank', '_self']))) { if (! isset($attr['target'])) {
if ($useIframe) { if ($url->isExternal()) {
$attr['href'] = Url::fromPath('iframe', ['url' => $url])->getAbsoluteUrl();
} elseif ($url->isExternal()) {
$attr['target'] = '_blank'; $attr['target'] = '_blank';
} else {
$attr['data-base-target'] = '_next';
} }
} }