Possible XSS scenario when posting Bookmarks

diff --git a/plugins/Bookmark/classes/Bookmark.php b/plugins/Bookmark/classes/Bookmark.php
index 65c767efddaffc36212daa00707d2cd8df6babb2..a99df87ee3d7da8da3a2117839f9d4d3a96d7a58 100644 (file)
--- a/plugins/Bookmark/classes/Bookmark.php
+++ b/plugins/Bookmark/classes/Bookmark.php
@@ -134,6 +134,10 @@ class Bookmark extends Managed_DataObject
     static function saveNew($profile, $title, $url, $rawtags, $description,
                             $options=null)
     {
+        if (!common_valid_http_url($url)) {
+            throw new ClientException(_m('Only web bookmarks can be posted (HTTP or HTTPS).'));
+        }
+
         $nb = self::getByURL($profile, $url);
 
         if (!empty($nb)) {