From aaf573e2fcaaa5c5b52c61eaaa4d6a5ca3b247d9 Mon Sep 17 00:00:00 2001
From: Seth <seth@collectiveaccess.org>
Date: Sat, 25 Sep 2021 15:15:13 -0400
Subject: [PATCH] Now filter html external references (eg. images to arbitrary
 urls). This ensures that arbitrary urls are not fetched from the server
 during PDF creation.

---
 app/conf/app.conf     | 4 ++++
 app/lib/BaseModel.php | 6 +++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/app/conf/app.conf b/app/conf/app.conf
index e8c5731b1c..a124402eb6 100755
--- a/app/conf/app.conf
+++ b/app/conf/app.conf
@@ -2109,6 +2109,10 @@ service_view_path = <ca_app_dir>/service/views
 # -----------------------------------
 purify_all_text_input = 1
 
+# Allow external URL references (eg. images) in HTML text input? 
+# Leaving this enabled may be a security risk
+purify_allow_external_references = 0
+
 # -----------------------------------
 # Paths to other config files
 # -----------------------------------
diff --git a/app/lib/BaseModel.php b/app/lib/BaseModel.php
index d433bfd6c8..eb29837b77 100755
--- a/app/lib/BaseModel.php
+++ b/app/lib/BaseModel.php
@@ -551,7 +551,11 @@ public function purify($pb_purify=null) {
 	 * @return HTMLPurifier Returns instance
 	 */
 	static public function getPurifier() {
-		if (!BaseModel::$html_purifier) { BaseModel::$html_purifier = new HTMLPurifier(); }
+		if (!BaseModel::$html_purifier) { 
+			$config = HTMLPurifier_Config::createDefault();
+			$config->set('URI.DisableExternalResources', !Configuration::load()->get('purify_allow_external_references'));
+			BaseModel::$html_purifier = new HTMLPurifier($config); 
+		}
 		return BaseModel::$html_purifier;
 	}
 	# --------------------------------------------------------------------------------