unembedContent() public static method

This allows later parsing to insert a sanitized video video embed normally. Necessary for backwards compatibility from when we allowed embed & object tags. This is not an HTML filter; it enables old YouTube videos to theoretically work, it doesn't effectively block YouTube iframes or objects.
public static unembedContent ( mixed $Mixed ) : HTML
$Mixed mixed
return HTML string
Gdn_Format Class Documentation
Ejemplo n.º 1
0
 /**
  * Filter provided HTML through htmlLawed and return the result.
  *
  * @param string $html String of HTML to filter.
  * @return string Returns the filtered HTML.
  */
 public function format($html)
 {
     $attributes = c('Garden.Html.BlockedAttributes', 'on*');
     $config = ['anti_link_spam' => ['`.`', ''], 'balance' => 1, 'cdata' => 3, 'comment' => 1, 'css_expression' => 1, 'deny_attribute' => $attributes, 'direct_list_nest' => 1, 'elements' => '*-applet-form-input-textarea-iframe-script-style-embed-object-select-option-button-fieldset-optgroup-legend', 'keep_bad' => 0, 'schemes' => 'classid:clsid; href: aim, feed, file, ftp, gopher, http, https, irc, mailto, news, nntp, sftp, ssh, telnet; style: nil; *:file, http, https', 'unique_ids' => 1, 'valid_xhtml' => 0];
     // Turn embedded videos into simple links (legacy workaround)
     $html = Gdn_Format::unembedContent($html);
     // We check the flag within Gdn_Format to see
     // if htmLawed should place rel="nofollow" links
     // within output or not.
     // A plugin can set this flag (for example).
     // The default is to show rel="nofollow" on all links.
     if (Gdn_Format::$DisplayNoFollow) {
         // display rel="nofollow" on all links.
         $config['anti_link_spam'] = ['`.`', ''];
     } else {
         // never display rel="nofollow"
         $config['anti_link_spam'] = ['', ''];
     }
     // Deny all class and style attributes.
     // A lot of damage can be done by hackers with these attributes.
     $config['deny_attribute'] .= ',style,class';
     // Block some IDs so you can't break Javascript
     $GLOBALS['hl_Ids'] = ['Bookmarks' => 1, 'CommentForm' => 1, 'Content' => 1, 'Definitions' => 1, 'DiscussionForm' => 1, 'Foot' => 1, 'Form_Comment' => 1, 'Form_User_Password' => 1, 'Form_User_SignIn' => 1, 'Head' => 1, 'HighlightColor' => 1, 'InformMessageStack' => 1, 'Menu' => 1, 'PagerMore' => 1, 'Panel' => 1, 'Status' => 1];
     $spec = 'object=-classid-type, -codebase; embed=type(oneof=application/x-shockwave-flash); ';
     // Define elements allowed to have a `class`.
     $spec .= implode(',', $this->classedElements);
     // Whitelist classes we allow.
     $spec .= '=class(oneof=' . implode('|', $this->allowedClasses) . '); ';
     return Htmlawed::filter($html, $config, $spec);
 }