X-Git-Url: https://git.immae.eu/?a=blobdiff_plain;f=application%2FUrl.php;h=b37593773b920c26d3a9e5332d197dc17fb44449;hb=9d4736a3e95332198896f97ecc8a83abb0cbe85b;hp=c166ff6ef03f6023c2bf895279f8eb8940736ba9;hpb=bb9ca54838e2f877635197541e8439171c83d5dc;p=github%2Fshaarli%2FShaarli.git

diff --git a/application/Url.php b/application/Url.php
index c166ff6e..b3759377 100644
--- a/application/Url.php
+++ b/application/Url.php
@@ -62,21 +62,31 @@ function add_trailing_slash($url)
 {
     return $url . (!endsWith($url, '/') ? '/' : '');
 }
+
 /**
- * Converts an URL with an IDN host to a ASCII one.
+ * Replace not whitelisted protocols by 'http://' from given URL.
  *
- * @param string $url Input URL.
+ * @param string $url       URL to clean
+ * @param array  $protocols List of allowed protocols (aside from http(s)).
  *
- * @return string converted URL.
+ * @return string URL with allowed protocol
  */
-function url_with_idn_to_ascii($url)
+function whitelist_protocols($url, $protocols)
 {
-    $parts = parse_url($url);
-    $parts['host'] = idn_to_ascii($parts['host']);
-
-    $httpUrl = new \http\Url($parts);
-    return $httpUrl->toString();
+    if (startsWith($url, '?') || startsWith($url, '/')) {
+        return $url;
+    }
+    $protocols = array_merge(['http', 'https'], $protocols);
+    $protocol = preg_match('#^(\w+):/?/?#', $url, $match);
+    // Protocol not allowed: we remove it and replace it with http
+    if ($protocol === 1 && ! in_array($match[1], $protocols)) {
+        $url = str_replace($match[0], 'http://', $url);
+    } else if ($protocol !== 1) {
+        $url = 'http://' . $url;
+    }
+    return $url;
 }
+
 /**
  * URL representation and cleanup utilities
  *
@@ -108,7 +118,10 @@ class Url
         'utm_',
 
         // ATInternet
-        'xtor='
+        'xtor=',
+
+        // Other
+        'campaign_'
     );
 
     private static $annoyingFragments = array(