From 2b75ad5e0afd0d458fb5c0330cd1fedecd40beb3 Mon Sep 17 00:00:00 2001
From: Hypolite Petovan <ben.lort@gmail.com>
Date: Sun, 4 Dec 2016 21:33:29 -0500
Subject: [PATCH] src and href attributes sanitization touchups

- Use Config::get
- Add default to config call
- Add always allowed protocol to href
- Remove relative root URLs from allowed forms
---
 include/bbcode.php | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/include/bbcode.php b/include/bbcode.php
index 0d0cb0177c..52cfa97c8b 100644
--- a/include/bbcode.php
+++ b/include/bbcode.php
@@ -1,4 +1,6 @@
 <?php
+use \Friendica\Core\Config;
+
 require_once("include/oembed.php");
 require_once('include/event.php');
 require_once('include/map.php');
@@ -1163,12 +1165,16 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true, $simplehtml = fal
 	// fix any escaped ampersands that may have been converted into links
 	$Text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism', '<$1$2=$3&$4>', $Text);
 
-	// sanitizes src attributes (only relative URIs or http URLs)
-	$Text = preg_replace('#<([^>]*?)(src)="(?!/|http)(.*?)"(.*?)>#ism', '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text);
+	// sanitizes src attributes (only relative redir URIs or http URLs)
+	$Text = preg_replace('#<([^>]*?)(src)="(?!http|redir)(.*?)"(.*?)>#ism', '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text);
+
+	// sanitize href attributes (only whitelisted protocols URLs)
+	$allowed_link_protocols = Config::get('system', 'allowed_link_protocols', array());
+
+	// Always allowed protocol even if config isn't set
+	$allowed_link_protocols[] = 'http';
 
-	// sanitize href attributes (only relative URIs or whitelisted protocols URLs)
-	$allowed_link_protocols = get_config('system', 'allowed_link_protocols');
-	$regex = '#<([^>]*?)(href)="(?!/|http|' . implode('|', $allowed_link_protocols) . ')(.*?)"(.*?)>#ism';
+	$regex = '#<([^>]*?)(href)="(?!' . implode('|', $allowed_link_protocols) . ')(.*?)"(.*?)>#ism';
 	$Text = preg_replace($regex, '<$1$2="javascript:void(0)"$4 class="invalid-href" title="' . t('Invalid link protocol') . '">', $Text);
 
 	if($saved_image) {
-- 
2.39.5