added checks for valid URL schemes in the preview URL of OER materials, fixes #3253

Closes #3253 Merge request !2209

added checks for valid URL schemes in the preview URL of OER materials, fixes #3253
55dd1618 · Moritz Strohm · anoack · b978f0dd · 55dd1618 · 55dd1618
Commit 55dd1618 authored 1 year ago by Moritz Strohm Committed by anoack 1 year ago
--- a/app/controllers/oer/mymaterial.php
+++ b/app/controllers/oer/mymaterial.php
@@ -38,7 +38,12 @@ class Oer_MymaterialController extends AuthenticatedController
            CSRFProtection::verifyUnsafeRequest();
            $was_new = $material->isNew();
            $was_on_twillo = (bool) $material['published_id_on_twillo'];
-            $material->setData(Request::getArray('data'));
+            $data = Request::getArray('data');
+            $material->setData($data);
+            if ($data['player_url'] && !$material->hasValidPreviewUrl()) {
+                PageLayout::postWarning(_('Die angegebene URL muss mit http(s) beginnen.'));
+                $material->player_url = '';
+            }
            $material['host_id'] = null;
            $material['license_identifier'] = Request::get('license', 'CC-BY-SA-4.0');
            if ($_FILES['file']['tmp_name']) {

--- a/app/views/oer/embed/url.php
+++ b/app/views/oer/embed/url.php
@@ -5,7 +5,8 @@ if ($material['player_url']) {
 }
 $htmlid = "oercampus_".$material->id."_".uniqid();
 ?>
-<iframe id='<?= $htmlid ?>'
+<iframe sandbox="allow-forms allow-popups allow-pointer-lock allow-same-origin allow-scripts"
+        id='<?= $htmlid ?>'
        src="<?= htmlReady($url) ?>"
        style="width: 100%; height: 70vh; border: none;"></iframe>
 <?= $this->render_partial("oer/embed/_link") ?>
--- a/app/views/oer/market/details.php
+++ b/app/views/oer/market/details.php
@@ -2,7 +2,7 @@
 <? $url = $material['host_id'] ? $material->host->url."download/".$material['foreign_material_id'] : $controller->link_for("oer/endpoints/download/".$material->getId()) ?>
-<? if ($material['player_url']) : ?>
+<? if ($material->hasValidPreviewUrl()) : ?>
    <iframe src="<?= htmlReady($material['player_url']) ?>"
            class="lernmarktplatz_player"></iframe>
    <? OERDownloadcounter::addCounter($material->id) ?>

--- a/app/views/oer/mymaterial/edit.php
+++ b/app/views/oer/mymaterial/edit.php
@@ -120,8 +120,8 @@
            <label>
                <?= _('Vorschau-URL (optional)') ?>
-                <input type="text" name="data[player_url]"
+                <input type="url" name="data[player_url]" pattern="^https?://.*"
-                       value="<?= htmlReady($material['player_url'] ?: $template['player_url']) ?>">
+                       value="<?= htmlReady($material['player_url'] ?: $template['player_url'] ?? '') ?>">
            </label>
            <? if (!$material->isNew()) : ?>

--- a/lib/models/OERMaterial.php
+++ b/lib/models/OERMaterial.php
@@ -149,19 +149,19 @@ class OERMaterial extends SimpleORMap
            ? $material->host->url."download/".$material['foreign_material_id']
            : URLHelper::getURL("dispatch.php/oer/endpoints/download/".$material->getId());
-        if ($material['player_url'] || $material->isPDF()) {
+        if ($material->hasValidPreviewUrl() || $material->isPDF()) {
-            if ($material['player_url']) {
+            if ($material->hasValidPreviewUrl()) {
                OERDownloadcounter::addCounter($material->id);
                $url = $material['player_url'];
            }
            $htmlid = "oercampus_".$material->id."_".uniqid();
-            $output = "<iframe id='".$htmlid."' src=\"". htmlReady($url). "\" style=\"width: 100%; height: 70vh; border: none;\"></iframe>";
+            $output = "<iframe sandbox=\"allow-forms allow-popups allow-pointer-lock allow-same-origin allow-scripts\" id='".$htmlid."' src=\"". htmlReady($url). "\" style=\"width: 100%; height: 70vh; border: none;\"></iframe>";
            return $output;
        }
        $tf = new Flexi_TemplateFactory($GLOBALS['STUDIP_BASE_PATH']."/app/views");
-        if ($material['player_url'] || $material->isPDF()) {
+        if ($material->hasValidPreviewUrl() || $material->isPDF()) {
            $template = $tf->open("oer/embed/url");
        } elseif ($material->isVideo()) {
            $template = $tf->open("oer/embed/video");
@@ -285,6 +285,24 @@ class OERMaterial extends SimpleORMap
        return (bool) $this['structure'];
    }
+    /**
+     * Checks the URL scheme of the preview URL (player_url).
+     * HTTP, HTTPS, Gopher and Gemini are supported schemes.
+     *
+     * @return bool True, if the URL scheme matches the allowced ones,
+     *     false otherwise.
+     */
+    public function hasValidPreviewUrl() : bool
+    {
+        if ($this->player_url) {
+            $scheme = parse_url($this->player_url, PHP_URL_SCHEME);
+            if (in_array($scheme, ['http', 'https'])) {
+                return true;
+            }
+        }
+        return false;
+    }
    public function isImage()
    {
        return stripos($this['content_type'], "image") === 0;