Now filter html external references (eg. images to arbitrary urls). T…

…his ensures that arbitrary urls are not fetched from the server during PDF creation.
collectiveaccess · Sep 25, 2021 · aaf573e · aaf573e
1 parent 8362ed4
commit aaf573e
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/app/conf/app.conf b/app/conf/app.conf
@@ -2109,6 +2109,10 @@ service_view_path = <ca_app_dir>/service/views
 # -----------------------------------
 purify_all_text_input = 1
 
+# Allow external URL references (eg. images) in HTML text input? 
+# Leaving this enabled may be a security risk
+purify_allow_external_references = 0
+
 # -----------------------------------
 # Paths to other config files
 # -----------------------------------

diff --git a/app/lib/BaseModel.php b/app/lib/BaseModel.php
@@ -551,7 +551,11 @@ public function purify($pb_purify=null) {
 	 * @return HTMLPurifier Returns instance
 	 */
 	static public function getPurifier() {
-		if (!BaseModel::$html_purifier) { BaseModel::$html_purifier = new HTMLPurifier(); }
+		if (!BaseModel::$html_purifier) { 
+			$config = HTMLPurifier_Config::createDefault();
+			$config->set('URI.DisableExternalResources', !Configuration::load()->get('purify_allow_external_references'));
+			BaseModel::$html_purifier = new HTMLPurifier($config); 
+		}
 		return BaseModel::$html_purifier;
 	}
 	# --------------------------------------------------------------------------------