6 files changed, 101 insertions, 3 deletions

diff --git a/composer.json b/composer.json
index 08f960c..0061d5d 100644
--- a/composer.json
+++ b/composer.json
@@ -11,6 +11,7 @@
     "firebase/php-jwt": "2.*",
     "abraham/twitteroauth": "*",
     "andreyco/instagram": "3.*",
+    "ezyang/htmlpurifier": "4.*",
     "p3k/multipart": "*",
     "tantek/cassis": "*",
     "p3k/timezone": "*"
diff --git a/composer.lock b/composer.lock
index ec0f1ff..4cdfe08 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
         "This file is @generated automatically"
     ],
-    "content-hash": "4ec77b1fe4974da5d6a392ec0d362858",
+    "content-hash": "1eb78fb0a7afe487cc3c9dd58d35532e",
     "packages": [
         {
             "name": "abraham/twitteroauth",
@@ -144,6 +144,50 @@
             "time": "2014-10-06T23:11:15+00:00"
         },
         {
+            "name": "ezyang/htmlpurifier",
+            "version": "v4.8.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/ezyang/htmlpurifier.git",
+                "reference": "d0c392f77d2f2a3dcf7fcb79e2a1e2b8804e75b2"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/ezyang/htmlpurifier/zipball/d0c392f77d2f2a3dcf7fcb79e2a1e2b8804e75b2",
+                "reference": "d0c392f77d2f2a3dcf7fcb79e2a1e2b8804e75b2",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.2"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-0": {
+                    "HTMLPurifier": "library/"
+                },
+                "files": [
+                    "library/HTMLPurifier.composer.php"
+                ]
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "LGPL"
+            ],
+            "authors": [
+                {
+                    "name": "Edward Z. Yang",
+                    "email": "admin@htmlpurifier.org",
+                    "homepage": "http://ezyang.com"
+                }
+            ],
+            "description": "Standards compliant HTML filter written in PHP",
+            "homepage": "http://htmlpurifier.org/",
+            "keywords": [
+                "html"
+            ],
+            "time": "2016-07-16T12:58:58+00:00"
+        },
+        {
             "name": "firebase/php-jwt",
             "version": "v2.2.0",
             "source": {
diff --git a/controllers/editor.php b/controllers/editor.php
index 81703f6..9016d1d 100644
--- a/controllers/editor.php
+++ b/controllers/editor.php
@@ -14,8 +14,11 @@ $app->post('/editor/publish', function() use($app) {
 
     $content = $params['body'];
 
+    // Clean up the HTML from the editor
+    $content = sanitize_editor_html($content);
+
     if($user->micropub_optin_html_content) {
-      $content = ['html' => $params['body']];
+      $content = ['html' => $content];
     }
 
     $micropub_request = array(
diff --git a/lib/helpers.php b/lib/helpers.php
index 4a4da11..26faf49 100644
--- a/lib/helpers.php
+++ b/lib/helpers.php
@@ -380,3 +380,50 @@ function correct_photo_rotation($filename) {
     $image->writeImage($filename);
   }
 }
+
+function sanitize_editor_html($html) {
+  $config = HTMLPurifier_Config::createDefault();
+  $config->set('Cache.DefinitionImpl', null);
+  $config->set('HTML.AllowedElements', [
+    'a',
+    'abbr',
+    'b',
+    'code',
+    'del',
+    'em',
+    'i',
+    'img',
+    'q',
+    'strike',
+    'strong',
+    'blockquote',
+    'pre',
+    'p',
+    'h1',
+    'h2',
+    'h3',
+    'h4',
+    'h5',
+    'h6',
+    'ul',
+    'li',
+    'ol'
+  ]);
+
+  // Allow data: URIs 
+  $config->set('URI.AllowedSchemes', array('data' => true, 'http' => true, 'https' => true));
+
+  // Strip all classes from elements
+  $config->set('Attr.AllowedClasses', '');
+
+  // $def = $config->getHTMLDefinition(true);
+  $purifier = new HTMLPurifier($config);
+  $sanitized = $purifier->purify($html);
+  $sanitized = str_replace("
","\r",$sanitized);
+
+  # Remove empty paragraphs
+  $sanitized = str_replace('<p><br /></p>','',$sanitized);
+  $sanitized = str_replace('<p></p>','',$sanitized);
+
+  return $sanitized;
+}
diff --git a/public/editor-files/editor.js b/public/editor-files/editor.js
index 4395380..158b34f 100644
--- a/public/editor-files/editor.js
+++ b/public/editor-files/editor.js
@@ -25,7 +25,7 @@ $(function() {
         }
       },
       embeds: {
-        oembedProxy: '/editor/oembed'
+        oembedProxy: null
       }
     }
   });
diff --git a/public/editor-files/style.css b/public/editor-files/style.css
index f0d14f9..9879c17 100644
--- a/public/editor-files/style.css
+++ b/public/editor-files/style.css
@@ -315,3 +315,6 @@ blockquote {
   color: #ccc;
 }
 
+.medium-insert-action[data-addon=embeds] {
+  display: none !important;
+}