]> git.mxchange.org Git - friendica.git/commitdiff
projects / friendica.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f88435f)
Increase specificity of default allowed protocols
authorHypolite Petovan <hypolite@mrpetovan.com>
Thu, 15 Aug 2019 01:42:00 +0000 (21:42 -0400)
committerHypolite Petovan <hypolite@mrpetovan.com>
Thu, 15 Aug 2019 01:42:00 +0000 (21:42 -0400)
src/Content/Text/BBCode.php patch | blob | history
static/defaults.config.php patch | blob | history

diff --git a/src/Content/Text/BBCode.php b/src/Content/Text/BBCode.php
index cd40d717af4b80573d845f0ce6f0da06e7073908..c16041e2207df7fe929a8cb040afd91e067f61c0 100644 (file)
--- a/src/Content/Text/BBCode.php
+++ b/src/Content/Text/BBCode.php
@@ -1753,19 +1753,25 @@ class BBCode extends BaseObject
                $text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism', '<$1$2=$3&$4>', $text);
 
                // sanitizes src attributes (http and redir URLs for displaying in a web page, cid used for inline images in emails)
-               $allowed_src_protocols = ['//', 'http', 'redir', 'cid'];
+               $allowed_src_protocols = ['//', 'http://', 'https://', 'redir/', 'cid:'];
+
+               array_walk($allowed_src_protocols, function(&$value) { $value = preg_quote($value, '#');});
+
                $text = preg_replace('#<([^>]*?)(src)="(?!' . implode('|', $allowed_src_protocols) . ')(.*?)"(.*?)>#ism',
                                         '<$1$2=""$4 data-original-src="$3" class="invalid-src" title="' . L10n::t('Invalid source protocol') . '">', $text);
 
                // sanitize href attributes (only whitelisted protocols URLs)
                // default value for backward compatibility
-               $allowed_link_protocols = Config::get('system', 'allowed_link_protocols', ['ftp', 'mailto', 'gopher', 'cid']);
+               $allowed_link_protocols = Config::get('system', 'allowed_link_protocols', []);
 
                // Always allowed protocol even if config isn't set or not including it
-               $allowed_link_protocols[] = 'http';
                $allowed_link_protocols[] = '//';
+               $allowed_link_protocols[] = 'http://';
+               $allowed_link_protocols[] = 'https://';
                $allowed_link_protocols[] = 'redir/';
 
+               array_walk($allowed_link_protocols, function(&$value) { $value = preg_quote($value, '#');});
+
                $regex = '#<([^>]*?)(href)="(?!' . implode('|', $allowed_link_protocols) . ')(.*?)"(.*?)>#ism';
                $text = preg_replace($regex, '<$1$2="javascript:void(0)"$4 data-original-href="$3" class="invalid-href" title="' . L10n::t('Invalid link protocol') . '">', $text);
 
diff --git a/static/defaults.config.php b/static/defaults.config.php
index dcda564c2a14d1a33f1a7f1489905e5f4c96641b..0cfb15e8474149b50bbfef40cc647d47026c1cd0 100644 (file)
--- a/static/defaults.config.php
+++ b/static/defaults.config.php
@@ -52,8 +52,8 @@ return [
        ],
        'system' => [
                // allowed_link_protocols (Array)
-               // Allowed protocols in links URLs, add at your own risk. http is always allowed.
-               'allowed_link_protocols' => ['ftp', 'ftps', 'mailto', 'cid', 'gopher'],
+               // Allowed protocols in links URLs, add at your own risk. http(s) is always allowed.
+               'allowed_link_protocols' => ['ftp://', 'ftps://', 'mailto:', 'cid:', 'gopher://'],
 
                // always_show_preview (Boolean)
                // Only show small preview pictures.
Unnamed repository; edit this file 'description' to name the repository.