From 4f7d69e1856a611025f53eef273e5af039d9aa16 Mon Sep 17 00:00:00 2001 From: Andrew Dolgov Date: Tue, 19 Mar 2013 12:49:55 +0400 Subject: [PATCH] detect whether browser supports iframe.sandbox and allow iframes accordingly; allow object and embed elements --- classes/rpc.php | 1 + include/functions.php | 4 +++- js/tt-rss.js | 4 +++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/classes/rpc.php b/classes/rpc.php index 5d77b1ae..b297bbad 100644 --- a/classes/rpc.php +++ b/classes/rpc.php @@ -285,6 +285,7 @@ class RPC extends Handler_Protected { function sanityCheck() { $_SESSION["hasAudio"] = $_REQUEST["hasAudio"] === "true"; + $_SESSION["hasSandbox"] = $_REQUEST["hasSandbox"] === "true"; $reply = array(); diff --git a/include/functions.php b/include/functions.php index 0e5d15ea..50bdc13a 100644 --- a/include/functions.php +++ b/include/functions.php @@ -2626,7 +2626,9 @@ $allowed_elements = array('p', 'br', 'div', 'table', 'tr', 'td', 'th', 'ul', 'ol', 'li', 'blockquote', 'span', 'html', 'body', 'a', 'img', - 'iframe', 'video', 'audio', 'source'); + 'video', 'audio', 'source', 'object', 'embed'); + + if ($_SESSION['hasSandbox']) array_push($allowed_elements, 'iframe'); $disallowed_attributes = array('id', 'style', 'class'); diff --git a/js/tt-rss.js b/js/tt-rss.js index 5ada64d3..5968f58e 100644 --- a/js/tt-rss.js +++ b/js/tt-rss.js @@ -244,9 +244,11 @@ function init() { loading_set_progress(20); var hasAudio = !!((myAudioTag = document.createElement('audio')).canPlayType); + var hasSandbox = "sandbox" in document.createElement("iframe"); new Ajax.Request("backend.php", { - parameters: {op: "rpc", method: "sanityCheck", hasAudio: hasAudio}, + parameters: {op: "rpc", method: "sanityCheck", hasAudio: hasAudio, + hasSandbox: hasSandbox}, onComplete: function(transport) { backend_sanity_check_callback(transport); } }); -- 2.39.5