vadvs (vadvs) wrote in changelog,
vadvs
vadvs
changelog

[livejournal] r20819: LJSUP-10811: due to security issue only ...

Committer: vad
LJSUP-10811: due to security issue only Flash is allowed
U   trunk/cgi-bin/cleanhtml.pl
Modified: trunk/cgi-bin/cleanhtml.pl
===================================================================
--- trunk/cgi-bin/cleanhtml.pl	2011-12-20 13:27:03 UTC (rev 20818)
+++ trunk/cgi-bin/cleanhtml.pl	2011-12-20 13:27:57 UTC (rev 20819)
@@ -1147,6 +1147,12 @@
                     }
                 }
 
+                ## LJSUP-10811: due to security issue only Flash is allowed
+                if ($tag eq 'embed' or $tag eq 'object'){
+                   $hash->{type} = 'application/x-shockwave-flash'; 
+                   push @$attrs => 'type';
+                }
+
                 # Through the xsl namespace in XML, it is possible to embed scripting lanaguages
                 # as elements which will then be executed by the browser.  Combining this with
                 # customview.cgi makes it very easy for someone to replace their entire journal

Tags: livejournal, pl, vad, vadvs
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 0 comments