aboutsummaryrefslogtreecommitdiffhomepage
path: root/application/Url.php
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2017-05-25 14:52:42 +0200
committerArthurHoaro <arthur@hoa.ro>2017-05-25 14:58:34 +0200
commit86ceea054f5f85157b04473bac5bfb6ff86ca31f (patch)
treee8216f2f36952818427e633b641a54a6ff26379a /application/Url.php
parent61c15aa5554431893ea5ebe800a9a625dca5aff9 (diff)
downloadShaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.gz
Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.zst
Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.zip
Add a whitelist of protocols for URLs
- for Shaare - for markdown description links and images Not whitelisted protocols will be replaced by `http://`
Diffstat (limited to 'application/Url.php')
-rw-r--r--application/Url.php24
1 files changed, 24 insertions, 0 deletions
diff --git a/application/Url.php b/application/Url.php
index 25a62a8a..b3759377 100644
--- a/application/Url.php
+++ b/application/Url.php
@@ -64,6 +64,30 @@ function add_trailing_slash($url)
64} 64}
65 65
66/** 66/**
67 * Replace not whitelisted protocols by 'http://' from given URL.
68 *
69 * @param string $url URL to clean
70 * @param array $protocols List of allowed protocols (aside from http(s)).
71 *
72 * @return string URL with allowed protocol
73 */
74function whitelist_protocols($url, $protocols)
75{
76 if (startsWith($url, '?') || startsWith($url, '/')) {
77 return $url;
78 }
79 $protocols = array_merge(['http', 'https'], $protocols);
80 $protocol = preg_match('#^(\w+):/?/?#', $url, $match);
81 // Protocol not allowed: we remove it and replace it with http
82 if ($protocol === 1 && ! in_array($match[1], $protocols)) {
83 $url = str_replace($match[0], 'http://', $url);
84 } else if ($protocol !== 1) {
85 $url = 'http://' . $url;
86 }
87 return $url;
88}
89
90/**
67 * URL representation and cleanup utilities 91 * URL representation and cleanup utilities
68 * 92 *
69 * Form 93 * Form