some much needed work on oembed security

Zotlabs/Module/Admin.php

@@ -568,25 +568,25 @@ class Admin extends \Zotlabs\Web\Controller {
 		$block_public         = ((x($_POST,'block_public'))		? True	: False);
 		set_config('system','block_public',$block_public);
 	
-		$ws = trim_array_elems(explode("\n",$_POST['whitelisted_sites']));
+		$ws = $this->trim_array_elems(explode("\n",$_POST['whitelisted_sites']));
 		set_config('system','whitelisted_sites',$ws);
 	
-		$bs = trim_array_elems(explode("\n",$_POST['blacklisted_sites']));
+		$bs = $this->trim_array_elems(explode("\n",$_POST['blacklisted_sites']));
 		set_config('system','blacklisted_sites',$bs);
 	
-		$wc = trim_array_elems(explode("\n",$_POST['whitelisted_channels']));
+		$wc = $this->trim_array_elems(explode("\n",$_POST['whitelisted_channels']));
 		set_config('system','whitelisted_channels',$wc);
 	
-		$bc = trim_array_elems(explode("\n",$_POST['blacklisted_channels']));
+		$bc = $this->trim_array_elems(explode("\n",$_POST['blacklisted_channels']));
 		set_config('system','blacklisted_channels',$bc);
 	
 		$embed_coop         = ((x($_POST,'embed_coop'))		? True	: False);
 		set_config('system','embed_coop',$embed_coop);
 	
-		$we = trim_array_elems(explode("\n",$_POST['embed_allow']));
+		$we = $this->trim_array_elems(explode("\n",$_POST['embed_allow']));
 		set_config('system','embed_allow',$we);
 	
-		$be = trim_array_elems(explode("\n",$_POST['embed_deny']));
+		$be = $this->trim_array_elems(explode("\n",$_POST['embed_deny']));
 		set_config('system','embed_deny',$be);
 	
 		goaway(z_root() . '/admin/security');
@@ -708,9 +708,13 @@ class Admin extends \Zotlabs\Web\Controller {
 	
 		$embed_coop = intval(get_config('system','embed_coop'));
 	
-	// wait to implement this until we have a co-op in place. 
-	//	if((! $whiteembeds) && (! $blackembeds) && (! $embed_coop))
-	//		$whiteembeds_str = "youtube.com\nyoutu.be\ntwitter.com\nvimeo.com\nsoundcloud.com\nwikipedia.com";
+		if((! $whiteembeds) && (! $blackembeds)) {
+			$embedhelp1 = t("By default, unfiltered HTML is allowed in embedded media. This is inherently insecure.");
+		}
+
+		$embedhelp2 = t("The recommended setting is to only allow unfiltered HTML from the following sites:"); 
+		$embedhelp3 = t("youtube.com<br />youtu.be<br />twitter.com<br />vimeo.com<br />soundcloud.com<br />wikipedia.com<br />");
+		$embedhelp4 = t("All other embedded content will be filtered, <strong>unless</strong> embedded content from that site is explicitly blocked.");
 	
 		$t = get_markup_template('admin_security.tpl');
 		return replace_macros($t, array(
@@ -722,10 +726,15 @@ class Admin extends \Zotlabs\Web\Controller {
 			'$blacklisted_sites' => array('blacklisted_sites', t('Block communications from these sites'), $blacksites_str, ''),
 			'$whitelisted_channels' => array('whitelisted_channels', t('Allow communications only from these channels'), $whitechannels_str, t('One channel (hash) per line. Leave empty to allow from any channel by default')),
 			'$blacklisted_channels' => array('blacklisted_channels', t('Block communications from these channels'), $blackchannels_str, ''),
-			'$embed_allow' => array('embed_allow', t('Allow embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')),
+			'$embed_allow' => array('embed_allow', t('Allow unfiltered embedded HTML content only from these domains'), $whiteembeds_str, t('One site per line. Leave empty to allow from any site by default')),
 			'$embed_deny' => array('embed_deny', t('Block embedded HTML from these domains'), $blackembeds_str, ''),
 	
 //	        '$embed_coop'     => array('embed_coop', t('Cooperative embed security'), $embed_coop, t('Enable to share embed security with other compatible sites/hubs')),
+			'$embedhelp1' => $embedhelp1,
+			'$embedhelp2' => $embedhelp2,
+			'$embedhelp3' => $embedhelp3,
+			'$embedhelp4' => $embedhelp4,
+
 			'$submit' => t('Submit')
 		));
 	}