From 2b75ad5e0afd0d458fb5c0330cd1fedecd40beb3 Mon Sep 17 00:00:00 2001 From: Hypolite Petovan Date: Sun, 4 Dec 2016 21:33:29 -0500 Subject: [PATCH] src and href attributes sanitization touchups - Use Config::get - Add default to config call - Add always allowed protocol to href - Remove relative root URLs from allowed forms --- include/bbcode.php | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/include/bbcode.php b/include/bbcode.php index 0d0cb0177c..52cfa97c8b 100644 --- a/include/bbcode.php +++ b/include/bbcode.php @@ -1,4 +1,6 @@ ]*?)(src|href)=(.*?)\&\;(.*?)\>/ism', '<$1$2=$3&$4>', $Text); - // sanitizes src attributes (only relative URIs or http URLs) - $Text = preg_replace('#<([^>]*?)(src)="(?!/|http)(.*?)"(.*?)>#ism', '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text); + // sanitizes src attributes (only relative redir URIs or http URLs) + $Text = preg_replace('#<([^>]*?)(src)="(?!http|redir)(.*?)"(.*?)>#ism', '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text); + + // sanitize href attributes (only whitelisted protocols URLs) + $allowed_link_protocols = Config::get('system', 'allowed_link_protocols', array()); + + // Always allowed protocol even if config isn't set + $allowed_link_protocols[] = 'http'; - // sanitize href attributes (only relative URIs or whitelisted protocols URLs) - $allowed_link_protocols = get_config('system', 'allowed_link_protocols'); - $regex = '#<([^>]*?)(href)="(?!/|http|' . implode('|', $allowed_link_protocols) . ')(.*?)"(.*?)>#ism'; + $regex = '#<([^>]*?)(href)="(?!' . implode('|', $allowed_link_protocols) . ')(.*?)"(.*?)>#ism'; $Text = preg_replace($regex, '<$1$2="javascript:void(0)"$4 class="invalid-href" title="' . t('Invalid link protocol') . '">', $Text); if($saved_image) { -- 2.39.5