From: Mikael Nordfeldth <mmn@hethane.se>
Date: Sat, 25 Oct 2014 12:56:38 +0000 (+0200)
Subject: Possible XSS scenario when posting Bookmarks
X-Git-Url: https://git.mxchange.org/?a=commitdiff_plain;h=39b5e08d44e22cd3ecd3bf3ba9011ba4944a9c4b;p=quix0rs-gnu-social.git

Possible XSS scenario when posting Bookmarks
---

diff --git a/plugins/Bookmark/classes/Bookmark.php b/plugins/Bookmark/classes/Bookmark.php
index 65c767efdd..a99df87ee3 100644
--- a/plugins/Bookmark/classes/Bookmark.php
+++ b/plugins/Bookmark/classes/Bookmark.php
@@ -134,6 +134,10 @@ class Bookmark extends Managed_DataObject
     static function saveNew($profile, $title, $url, $rawtags, $description,
                             $options=null)
     {
+        if (!common_valid_http_url($url)) {
+            throw new ClientException(_m('Only web bookmarks can be posted (HTTP or HTTPS).'));
+        }
+
         $nb = self::getByURL($profile, $url);
 
         if (!empty($nb)) {