BookStack Code Mirror - bookstack/blobdiff

index f9ab666acb79c6b9726bd6de7bf84b744f40092e..4262b5c98f8071828eacc073d92d9522b7beabbe 100644 (file)

@@ -126,25 +126,37 @@ class CspService

protected function getAllowedIframeHosts(): array

{

- $hosts = config('app.iframe_hosts', '');

+ $hosts = config('app.iframe_hosts') ?? '';

return array_filter(explode(' ', $hosts));

}

protected function getAllowedIframeSources(): array

{

- $sources = config('app.iframe_sources', '');

- $hosts = array_filter(explode(' ', $sources));

+ $sources = explode(' ', config('app.iframe_sources', ''));

+ $sources[] = $this->getDrawioHost();

- // Extract drawing service url to allow embedding if active

+ return array_filter($sources);

+ }

+ /**

+ * Extract the host name of the configured drawio URL for use in CSP.

+ * Returns empty string if not in use.

+ */

+ protected function getDrawioHost(): string

+ {

$drawioConfigValue = config('services.drawio');

- if ($drawioConfigValue) {

- $drawioSource = is_string($drawioConfigValue) ? $drawioConfigValue : 'https://embed.diagrams.net/';

- $drawioSourceParsed = parse_url($drawioSource);

- $drawioHost = $drawioSourceParsed['scheme'] . '://' . $drawioSourceParsed['host'];

- $hosts[] = $drawioHost;

+ if (!$drawioConfigValue) {

+ return '';

+ }

+ $drawioSource = is_string($drawioConfigValue) ? $drawioConfigValue : 'https://embed.diagrams.net/';

+ $drawioSourceParsed = parse_url($drawioSource);

+ $drawioHost = $drawioSourceParsed['scheme'] . '://' . $drawioSourceParsed['host'];

+ if (isset($drawioSourceParsed['port'])) {

+ $drawioHost .= ':' . $drawioSourceParsed['port'];

}

- return $hosts;

+ return $drawioHost;

}