X-Git-Url: https://git.mxchange.org/?a=blobdiff_plain;ds=sidebyside;f=include%2Fbbcode.php;h=27213007cebdfc8a6751a14fc0472ddadd0abe1b;hb=467cdfeb3402347a454082d79e9075f23eefee83;hp=ebafc353a4dcb153b759ab3820f6cdf79f17a0c0;hpb=aff467adf2f399b64a05c332751cf517f4bf0099;p=friendica.git diff --git a/include/bbcode.php b/include/bbcode.php index ebafc353a4..27213007ce 100644 --- a/include/bbcode.php +++ b/include/bbcode.php @@ -1,4 +1,6 @@ ]*?)(src|href)=(.*?)\&\;(.*?)\>/ism",'<$1$2=$3&$4>',$Text); - $Text = preg_replace("/\<([^>]*?)(src|href)=\"(?!http|ftp|mailto|gopher|cid)(.*?)\>/ism",'<$1$2="">',$Text); + $Text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&\;(.*?)\>/ism', '<$1$2=$3&$4>', $Text); + + // sanitizes src attributes (only relative redir URIs or http URLs) + $Text = preg_replace('#<([^>]*?)(src)="(?!http|redir)(.*?)"(.*?)>#ism', '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text); + + // sanitize href attributes (only whitelisted protocols URLs) + // default value for backward compatibility + $allowed_link_protocols = Config::get('system', 'allowed_link_protocols', array('ftp', 'mailto', 'gopher', 'cid')); - if($saved_image) + // Always allowed protocol even if config isn't set or not including it + $allowed_link_protocols[] = 'http'; + + $regex = '#<([^>]*?)(href)="(?!' . implode('|', $allowed_link_protocols) . ')(.*?)"(.*?)>#ism'; + $Text = preg_replace($regex, '<$1$2="javascript:void(0)"$4 class="invalid-href" title="' . t('Invalid link protocol') . '">', $Text); + + if($saved_image) { $Text = bb_replace_images($Text, $saved_image); + } // Clean up the HTML by loading and saving the HTML with the DOM. // Bad structured html can break a whole page.