diff options
author | ArthurHoaro <arthur@hoa.ro> | 2017-05-25 14:52:42 +0200 |
---|---|---|
committer | ArthurHoaro <arthur@hoa.ro> | 2017-05-25 14:58:34 +0200 |
commit | 86ceea054f5f85157b04473bac5bfb6ff86ca31f (patch) | |
tree | e8216f2f36952818427e633b641a54a6ff26379a /application/Url.php | |
parent | 61c15aa5554431893ea5ebe800a9a625dca5aff9 (diff) | |
download | Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.gz Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.zst Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.zip |
Add a whitelist of protocols for URLs
- for Shaare
- for markdown description links and images
Not whitelisted protocols will be replaced by `http://`
Diffstat (limited to 'application/Url.php')
-rw-r--r-- | application/Url.php | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/application/Url.php b/application/Url.php index 25a62a8a..b3759377 100644 --- a/application/Url.php +++ b/application/Url.php | |||
@@ -64,6 +64,30 @@ function add_trailing_slash($url) | |||
64 | } | 64 | } |
65 | 65 | ||
66 | /** | 66 | /** |
67 | * Replace not whitelisted protocols by 'http://' from given URL. | ||
68 | * | ||
69 | * @param string $url URL to clean | ||
70 | * @param array $protocols List of allowed protocols (aside from http(s)). | ||
71 | * | ||
72 | * @return string URL with allowed protocol | ||
73 | */ | ||
74 | function whitelist_protocols($url, $protocols) | ||
75 | { | ||
76 | if (startsWith($url, '?') || startsWith($url, '/')) { | ||
77 | return $url; | ||
78 | } | ||
79 | $protocols = array_merge(['http', 'https'], $protocols); | ||
80 | $protocol = preg_match('#^(\w+):/?/?#', $url, $match); | ||
81 | // Protocol not allowed: we remove it and replace it with http | ||
82 | if ($protocol === 1 && ! in_array($match[1], $protocols)) { | ||
83 | $url = str_replace($match[0], 'http://', $url); | ||
84 | } else if ($protocol !== 1) { | ||
85 | $url = 'http://' . $url; | ||
86 | } | ||
87 | return $url; | ||
88 | } | ||
89 | |||
90 | /** | ||
67 | * URL representation and cleanup utilities | 91 | * URL representation and cleanup utilities |
68 | * | 92 | * |
69 | * Form | 93 | * Form |