blob: 5da09593de227c618dabd60db3212a2e3b753f34 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
|
<?php
namespace Drupal\media;
use Drupal\Component\Utility\Crypt;
use Drupal\Core\PrivateKey;
use Drupal\Core\Routing\RequestContext;
use Drupal\Core\Site\Settings;
/**
* Providers helper functions for displaying oEmbed resources in an iFrame.
*
* @internal
* This is an internal part of the oEmbed system and should only be used by
* oEmbed-related code in Drupal core.
*/
class IFrameUrlHelper {
/**
* The request context service.
*
* @var \Drupal\Core\Routing\RequestContext
*/
protected $requestContext;
/**
* The private key service.
*
* @var \Drupal\Core\PrivateKey
*/
protected $privateKey;
/**
* IFrameUrlHelper constructor.
*
* @param \Drupal\Core\Routing\RequestContext $request_context
* The request context service.
* @param \Drupal\Core\PrivateKey $private_key
* The private key service.
*/
public function __construct(RequestContext $request_context, PrivateKey $private_key) {
$this->requestContext = $request_context;
$this->privateKey = $private_key;
}
/**
* Hashes an oEmbed resource URL.
*
* @param string $url
* The resource URL.
* @param int $max_width
* (optional) The maximum width of the resource.
* @param int $max_height
* (optional) The maximum height of the resource.
*
* @return string
* The hashed URL.
*/
public function getHash($url, $max_width = NULL, $max_height = NULL) {
return Crypt::hmacBase64("$url:$max_width:$max_height", $this->privateKey->get() . Settings::getHashSalt());
}
/**
* Checks if an oEmbed URL can be securely displayed in an frame.
*
* @param string $url
* The URL to check.
*
* @return bool
* TRUE if the URL is considered secure, otherwise FALSE.
*/
public function isSecure($url) {
if (!$url) {
return FALSE;
}
$url_host = parse_url($url, PHP_URL_HOST);
$system_host = parse_url($this->requestContext->getCompleteBaseUrl(), PHP_URL_HOST);
// The URL is secure if its domain is not the same as the domain of the base
// URL of the current request.
return $url_host && $system_host && $url_host !== $system_host;
}
}
|
