Lanmikeman/openvk
Lanmikeman/openvk
1
1
Fork 0
mirror of https://github.com/openvk/openvk synced 2025-07-02 22:09:53 +03:00
Code Issues Projects Releases Packages Wiki Activity

add list of allowed hosts in notes images

Browse source 
Co-Authored-By: n1rwana <93197434+n1rwana@users.noreply.github.com>
This commit is contained in:
mrilyew 2025-06-08 11:08:53 +03:00
parent ec5dee371c
commit 3cef6e4824
5 changed files with 69 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

51
Web/Models/Entities/Note.php
View file

@ -6,12 +6,42 @@ namespace openvk\Web\Models\Entities;
use HTMLPurifier_Config;
use HTMLPurifier;
use HTMLPurifier_Filter;
class SecurityFilter extends HTMLPurifier_Filter
{
public function preFilter($html, $config, $context)
{
$html = preg_replace_callback(
'/<img[^>]*src\s*=\s*["\']([^"\']*)["\'][^>]*>/i',
function ($matches) {
$originalSrc = $matches[1];
$src = $originalSrc;
if (OPENVK_ROOT_CONF["openvk"]["preferences"]["notes"]["disableHotlinking"] ?? true) {
if (!str_contains($src, "/image.php?url=")) {
$src = '/image.php?url=' . base64_encode($originalSrc);
} /*else {
$src = preg_replace_callback('/(.*)\/image\.php\?url=(.*)/i', function ($matches) {
return base64_decode($matches[2]);
}, $src);
}*/
}
return str_replace($originalSrc, $src, $matches[0]);
},
$html
);
return $html;
}
}
class Note extends Postable
{
protected $tableName = "notes";
protected function renderHTML(): string
protected function renderHTML(?string $content = null): string
{
$config = HTMLPurifier_Config::createDefault();
$config->set("Attr.AllowedClasses", []);
@ -78,16 +108,19 @@ class Note extends Postable
$config->set("Attr.AllowedClasses", [
"underline",
]);
$config->set('Filter.Custom', [new SecurityFilter()]);
$source = null;
if (is_null($this->getRecord())) {
if (isset($this->changes["source"])) {
$source = $this->changes["source"];
$source = $content;
if (!$source) {
if (is_null($this->getRecord())) {
if (isset($this->changes["source"])) {
$source = $this->changes["source"];
} else {
throw new \LogicException("Can't render note without content set.");
}
} else {
throw new \LogicException("Can't render note without content set.");
$source = $this->getRecord()->source;
}
} else {
$source = $this->getRecord()->source;
}
$purifier = new HTMLPurifier($config);
@ -117,7 +150,7 @@ class Note extends Postable
$this->save();
}
return $cached;
return $this->renderHTML($cached);
}
public function getSource(): string

22
Web/Presenters/InternalAPIPresenter.php
View file

@ -176,4 +176,26 @@ final class InternalAPIPresenter extends OpenVKPresenter
exit('');
}
}
public function renderImageFilter()
{
$is_enabled = OPENVK_ROOT_CONF["openvk"]["preferences"]["notes"]["disableHotlinking"] ?? true;
$allowed_hosts = OPENVK_ROOT_CONF["openvk"]["preferences"]["notes"]["allowedHosts"] ?? [];
$url = $this->requestParam("url");
$url = base64_decode($url);
if (!$is_enabled) {
$this->redirect($url);
}
$url_parsed = parse_url($url);
$host = $url_parsed['host'];
if (in_array($host, $allowed_hosts)) {
$this->redirect($url);
} else {
$this->redirect('/assets/packages/static/openvk/img/fn_placeholder.jpg');
}
}
}

2
Web/routes.yml
View file

@ -413,6 +413,8 @@ routes:
handler: "InternalAPI->getPhotosFromPost"
- url: "/iapi/getPostTemplate/{num}_{num}"
handler: "InternalAPI->getPostTemplate"
- url: "/image.php"
handler: "InternalAPI->imageFilter"
- url: "/tour"
handler: "About->tour"
- url: "/fave"

BIN
Web/static/img/fn_placeholder.jpg Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 15 KiB

3
openvk-example.yml
View file

@ -60,6 +60,9 @@ openvk:
exposeOriginalURLs: true
newsfeed:
ignoredSourcesLimit: 50
notes:
disableHotlinking: true
allowedHosts: []
wall:
christian: false
anonymousPosting: