return $url . (!endsWith($url, '/') ? '/' : '');
}
+/**
+ * Replace not whitelisted protocols by 'http://' from given URL.
+ *
+ * @param string $url URL to clean
+ * @param array $protocols List of allowed protocols (aside from http(s)).
+ *
+ * @return string URL with allowed protocol
+ */
+function whitelist_protocols($url, $protocols)
+{
+ if (startsWith($url, '?') || startsWith($url, '/')) {
+ return $url;
+ }
+ $protocols = array_merge(['http', 'https'], $protocols);
+ $protocol = preg_match('#^(\w+):/?/?#', $url, $match);
+ // Protocol not allowed: we remove it and replace it with http
+ if ($protocol === 1 && ! in_array($match[1], $protocols)) {
+ $url = str_replace($match[0], 'http://', $url);
+ } else if ($protocol !== 1) {
+ $url = 'http://' . $url;
+ }
+ return $url;
+}
+
/**
* URL representation and cleanup utilities
*
$this->setEmpty('security.ban_duration', 1800);
$this->setEmpty('security.session_protection_disabled', false);
$this->setEmpty('security.open_shaarli', false);
+ $this->setEmpty('security.allowed_protocols', ['ftp', 'ftps', 'magnet']);
$this->setEmpty('general.header_link', '?');
$this->setEmpty('general.links_per_page', 20);
// Remove duplicates.
$tags = implode(' ', array_unique(explode(' ', $tags)));
- $url = trim($_POST['lf_url']);
- if (! startsWith($url, 'http:') && ! startsWith($url, 'https:')
- && ! startsWith($url, 'ftp:') && ! startsWith($url, 'magnet:')
- && ! startsWith($url, '?') && ! startsWith($url, 'javascript:')
- ) {
- $url = 'http://' . $url;
- }
+ $url = whitelist_protocols(trim($_POST['lf_url']), $conf->get('security.allowed_protocols'));
$link = array(
'id' => $id,
$value = stripNoMarkdownTag($value);
continue;
}
- $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true));
+ $value['description'] = process_markdown(
+ $value['description'],
+ $conf->get('security.markdown_escape', true),
+ $conf->get('security.allowed_protocols')
+ );
}
return $data;
}
$value = stripNoMarkdownTag($value);
continue;
}
- $value['description'] = process_markdown($value['description'], $conf->get('security.markdown_escape', true));
+ $value['description'] = process_markdown(
+ $value['description'],
+ $conf->get('security.markdown_escape', true),
+ $conf->get('security.allowed_protocols')
+ );
}
return $data;
}
$value2['formatedDescription'] = process_markdown(
$value2['formatedDescription'],
- $conf->get('security.markdown_escape', true)
+ $conf->get('security.markdown_escape', true),
+ $conf->get('security.allowed_protocols')
);
}
}
return preg_replace('/(^| ) /m', '$1 ', $description);
}
+/**
+ * Replace not whitelisted protocols with http:// in given description.
+ *
+ * @param string $description input description text.
+ * @param array $allowedProtocols list of allowed protocols.
+ *
+ * @return string $description without malicious link.
+ */
+function filter_protocols($description, $allowedProtocols)
+{
+ return preg_replace_callback(
+ '#]\((.*?)\)#is',
+ function ($match) use ($allowedProtocols) {
+ return ']('. whitelist_protocols($match[1], $allowedProtocols) .')';
+ },
+ $description
+ );
+}
+
/**
* Remove dangerous HTML tags (tags, iframe, etc.).
* Doesn't affect <code> content (already escaped by Parsedown).
*
* @return string HTML processed $description.
*/
-function process_markdown($description, $escape = true)
+function process_markdown($description, $escape = true, $allowedProtocols = [])
{
$parsedown = new Parsedown();
$processedDescription = reverse_nl2br($processedDescription);
$processedDescription = reverse_space2nbsp($processedDescription);
$processedDescription = reverse_text2clickable($processedDescription);
+ $processedDescription = filter_protocols($processedDescription, $allowedProtocols);
$processedDescription = unescape($processedDescription);
$processedDescription = $parsedown
->setMarkupEscaped($escape)
--- /dev/null
+<?php
+
+require_once 'application/Url.php';
+
+use Shaarli\Config\ConfigManager;
+
+/**
+ * Class WhitelistProtocolsTest
+ *
+ * Test whitelist_protocols() function of Url.
+ */
+class WhitelistProtocolsTest extends PHPUnit_Framework_TestCase
+{
+ /**
+ * Test whitelist_protocols() on a note (relative URL).
+ */
+ public function testWhitelistProtocolsRelative()
+ {
+ $whitelist = ['ftp', 'magnet'];
+ $url = '?12443564';
+ $this->assertEquals($url, whitelist_protocols($url, $whitelist));
+ $url = '/path.jpg';
+ $this->assertEquals($url, whitelist_protocols($url, $whitelist));
+ }
+
+ /**
+ * Test whitelist_protocols() on a note (relative URL).
+ */
+ public function testWhitelistProtocolMissing()
+ {
+ $whitelist = ['ftp', 'magnet'];
+ $url = 'test.tld/path/?query=value#hash';
+ $this->assertEquals('http://'. $url, whitelist_protocols($url, $whitelist));
+ }
+
+ /**
+ * Test whitelist_protocols() with allowed protocols.
+ */
+ public function testWhitelistAllowedProtocol()
+ {
+ $whitelist = ['ftp', 'magnet'];
+ $url = 'http://test.tld/path/?query=value#hash';
+ $this->assertEquals($url, whitelist_protocols($url, $whitelist));
+ $url = 'https://test.tld/path/?query=value#hash';
+ $this->assertEquals($url, whitelist_protocols($url, $whitelist));
+ $url = 'ftp://test.tld/path/?query=value#hash';
+ $this->assertEquals($url, whitelist_protocols($url, $whitelist));
+ $url = 'magnet:test.tld/path/?query=value#hash';
+ $this->assertEquals($url, whitelist_protocols($url, $whitelist));
+ }
+
+ /**
+ * Test whitelist_protocols() with allowed protocols.
+ */
+ public function testWhitelistDisallowedProtocol()
+ {
+ $whitelist = ['ftp', 'magnet'];
+ $url = 'javascript:alert("xss");';
+ $this->assertEquals('http://alert("xss");', whitelist_protocols($url, $whitelist));
+ $url = 'other://test.tld/path/?query=value#hash';
+ $this->assertEquals('http://test.tld/path/?query=value#hash', whitelist_protocols($url, $whitelist));
+ }
+}
{
PluginManager::$PLUGINS_PATH = 'plugins';
$this->conf = new ConfigManager('tests/utils/config/configJson');
+ $this->conf->set('security.allowed_protocols', ['ftp', 'magnet']);
}
/**
}
/**
- * Test hashtag links processed with markdown.
+ * Make sure that the generated HTML match the reference HTML file.
*/
- public function testMarkdownHashtagLinks()
+ public function testMarkdownGlobalProcessDescription()
{
$md = file_get_contents('tests/plugins/resources/markdown.md');
$md = format_description($md);
$html = file_get_contents('tests/plugins/resources/markdown.html');
- $data = process_markdown($md);
+ $data = process_markdown(
+ $md,
+ $this->conf->get('security.markdown_escape', true),
+ $this->conf->get('security.allowed_protocols')
+ );
$this->assertEquals($html, $data);
}
next #foo</code></pre>
<p>Block:</p>
<pre><code>lorem ipsum #foobar http://link.tld
-#foobar http://link.tld</code></pre></div>
\ No newline at end of file
+#foobar http://link.tld</code></pre>
+<p><a href="?123456">link</a><br />
+<img src="/img/train.png" alt="link" /><br />
+<a href="http://test.tld/path/?query=value#hash">link</a><br />
+<a href="http://test.tld/path/?query=value#hash">link</a><br />
+<a href="https://test.tld/path/?query=value#hash">link</a><br />
+<a href="ftp://test.tld/path/?query=value#hash">link</a><br />
+<a href="magnet:test.tld/path/?query=value#hash">link</a><br />
+<a href="http://alert('xss')">link</a><br />
+<a href="http://test.tld/path/?query=value#hash">link</a></p></div>
\ No newline at end of file
```
lorem ipsum #foobar http://link.tld
#foobar http://link.tld
-```
\ No newline at end of file
+```
+
+[link](?123456)
+![link](/img/train.png)
+[link](test.tld/path/?query=value#hash)
+[link](http://test.tld/path/?query=value#hash)
+[link](https://test.tld/path/?query=value#hash)
+[link](ftp://test.tld/path/?query=value#hash)
+[link](magnet:test.tld/path/?query=value#hash)
+[link](javascript:alert('xss'))
+[link](other://test.tld/path/?query=value#hash)
\ No newline at end of file
color: #1b926c;
}
-.linklist-item-title .linklist-link:visited {
- color: #1b926c;
+.linklist-item-title a:visited .linklist-link {
+ color: #555555;
}
.linklist-item-title a:hover, .linklist-item-title .linklist-link:hover{
function(){
var%20url%20=%20location.href;
var%20title%20=%20document.title%20||%20url;
+ var%20desc=document.getSelection().toString();
+ if(desc.length>4000){
+ desc=desc.substr(0,4000)+'...';
+ alert('{function="str_replace(' ', '%20', t('The selected text is too long, it will be truncated.'))"}');
+ }
window.open(
'{$pageabsaddr}?post='%20+%20encodeURIComponent(url)+
'&title='%20+%20encodeURIComponent(title)+
- '&description='%20+%20encodeURIComponent(document.getSelection())+
+ '&description='%20+%20encodeURIComponent(desc)+
'&source=bookmarklet','_blank','menubar=no,height=800,width=600,toolbar=no,scrollbars=yes,status=no,dialog=1'
);
}
class="bookmarklet-link"
href="javascript:(
function(){
+ var%20desc=document.getSelection().toString();
+ if(desc.length>4000){
+ desc=desc.substr(0,4000)+'...';
+ alert("{function="str_replace(' ', '%20', t('The selected text is too long, it will be truncated.'))"}");
+ }
window.open(
'{$pageabsaddr}?private=1&post='+
- '&description='%20+%20encodeURIComponent(document.getSelection())+
+ '&description='%20+%20encodeURIComponent(desc)+
'&source=bookmarklet','_blank','menubar=no,height=800,width=600,toolbar=no,scrollbars=yes,status=no,dialog=1'
);
}