Reviewed: https://reviews.mahara.org/4658 Committed: http://gitorious.org/mahara/mahara/commit/3b4f216858f8ab5fec76f8553f9f8602778a48c9 Submitter: Robert Lyon (robe...@catalyst.net.nz) Branch: 1.10_STABLE
commit 3b4f216858f8ab5fec76f8553f9f8602778a48c9 Author: Robert Lyon <robe...@catalyst.net.nz> Date: Thu Apr 16 11:31:53 2015 +1200 Allow prefixes that end in / to try ? and # as well Bug 1286935 Seeing as we check the url against FILTER_VALIDATE_URL and that only site admins can add to the 'allowed iframe sources' that should be enough without having to add the / to the end of the url. Change-Id: I82e3623d3df2fa03012278d334994224c51a092e Signed-off-by: Robert Lyon <robe...@catalyst.net.nz> -- You received this bug notification because you are a member of Mahara Contributors, which is subscribed to Mahara. Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it! https://bugs.launchpad.net/bugs/1286935 Title: Allowed iframe check doesn't handle URLs with a question mark immediately after the domain name Status in Mahara ePortfolio: Fix Committed Status in Mahara 1.10 series: Fix Committed Status in Mahara 1.8 series: Fix Committed Status in Mahara 1.9 series: Fix Committed Status in Mahara 15.04 series: Fix Committed Bug description: See https://mahara.org/interaction/forum/topic.php?id=6124 In the Mahara forums, a user reported this issue with an embed code for hapyak.com. The full embed code: <iframe src="//hapyak.com?embed=true&edit=false&startInEditMode=false&track=15572&project=3162&key=2a69d0613a6a43b5a613&source=youtube&source_id=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DNWjso1EqSXc&controls=true&nativeControls=false&reset_variables=true&autoplay=false&aspect_ratio=1.3328" class="hapyak-embed" marginwidth="0" marginheight="0" allowfullscreen="" webkitallowfullscreen="" mozallowfullscreen="" frameborder="no" height="699" scrolling="no" width="853"></iframe> Note that the URL starts with "//hapyak.com?embed=true...". If you change that to "//hapyak.com/?embed=true..." then it works. It looks like the problem is that the regular expression we use to identify iframes with a valid URL, doesn't handle the scenario of a URL where there's a query component but no path component. In other words, a "?" immediately after the domain name. To manage notifications about this bug go to: https://bugs.launchpad.net/mahara/+bug/1286935/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~mahara-contributors Post to : mahara-contributors@lists.launchpad.net Unsubscribe : https://launchpad.net/~mahara-contributors More help : https://help.launchpad.net/ListHelp