Add a whitelist of protocols for URLs

- for Shaare - for markdown description links and images Not whitelisted protocols will be replaced by `http://`
author: ArthurHoaro <arthur@hoa.ro> 2017-05-25 14:52:42 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2017-05-25 14:58:34 +0200
commit: 86ceea054f5f85157b04473bac5bfb6ff86ca31f (patch)
tree: e8216f2f36952818427e633b641a54a6ff26379a /application/Url.php
parent: 61c15aa5554431893ea5ebe800a9a625dca5aff9 (diff)
download: Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.gz
Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.zst
Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.zip
1 files changed, 24 insertions, 0 deletions
diff --git a/application/Url.php b/application/Url.php
index 25a62a8a..b3759377 100644
--- a/application/Url.php
+++ b/application/Url.php
@@ -64,6 +64,30 @@ function add_trailing_slash($url)
 }
 /**
+ * Replace not whitelisted protocols by 'http://' from given URL.
+ *
+ * @param string $url       URL to clean
+ * @param array  $protocols List of allowed protocols (aside from http(s)).
+ *
+ * @return string URL with allowed protocol
+ */
+function whitelist_protocols($url, $protocols)
+{
+    if (startsWith($url, '?') || startsWith($url, '/')) {
+        return $url;
+    }
+    $protocols = array_merge(['http', 'https'], $protocols);
+    $protocol = preg_match('#^(\w+):/?/?#', $url, $match);
+    // Protocol not allowed: we remove it and replace it with http
+    if ($protocol === 1 && ! in_array($match[1], $protocols)) {
+        $url = str_replace($match[0], 'http://', $url);
+    } else if ($protocol !== 1) {
+        $url = 'http://' . $url;
+    }
+    return $url;
+}
+/**
 * URL representation and cleanup utilities
 *
 * Form
author	ArthurHoaro <arthur@hoa.ro>	2017-05-25 14:52:42 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2017-05-25 14:58:34 +0200
commit	86ceea054f5f85157b04473bac5bfb6ff86ca31f (patch)
tree	e8216f2f36952818427e633b641a54a6ff26379a /application/Url.php
parent	61c15aa5554431893ea5ebe800a9a625dca5aff9 (diff)
download	Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.gz Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.zst Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.zip

diff --git a/application/Url.php b/application/Url.php index 25a62a8a..b3759377 100644 --- a/application/Url.php +++ b/application/Url.php
@@ -64,6 +64,30 @@ function add_trailing_slash($url)
64	}	64	}
65		65
66	/**	66	/**
		67	* Replace not whitelisted protocols by 'http://' from given URL.
		68	*
		69	* @param string $url URL to clean
		70	* @param array $protocols List of allowed protocols (aside from http(s)).
		71	*
		72	* @return string URL with allowed protocol
		73	*/
		74	function whitelist_protocols($url, $protocols)
		75	{
		76	if (startsWith($url, '?') \|\| startsWith($url, '/')) {
		77	return $url;
		78	}
		79	$protocols = array_merge(['http', 'https'], $protocols);
		80	$protocol = preg_match('#^(\w+):/?/?#', $url, $match);
		81	// Protocol not allowed: we remove it and replace it with http
		82	if ($protocol === 1 && ! in_array($match[1], $protocols)) {
		83	$url = str_replace($match[0], 'http://', $url);
		84	} else if ($protocol !== 1) {
		85	$url = 'http://' . $url;
		86	}
		87	return $url;
		88	}
		89
		90	/**
67	* URL representation and cleanup utilities	91	* URL representation and cleanup utilities
68	*	92	*
69	* Form	93	* Form