Add a whitelist of protocols for URLs

- for Shaare - for markdown description links and images Not whitelisted protocols will be replaced by `http://`
author: ArthurHoaro <arthur@hoa.ro> 2017-05-25 14:52:42 +0200
committer: ArthurHoaro <arthur@hoa.ro> 2017-05-25 14:58:34 +0200
commit: 86ceea054f5f85157b04473bac5bfb6ff86ca31f (patch)
tree: e8216f2f36952818427e633b641a54a6ff26379a /index.php
parent: 61c15aa5554431893ea5ebe800a9a625dca5aff9 (diff)
download: Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.gz
Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.zst
Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.zip
1 files changed, 1 insertions, 7 deletions
diff --git a/index.php b/index.php
index 468dd091..944af674 100644
--- a/index.php
+++ b/index.php
@@ -1237,13 +1237,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history)
        // Remove duplicates.
        $tags = implode(' ', array_unique(explode(' ', $tags)));
-        $url = trim($_POST['lf_url']);
+        $url = whitelist_protocols(trim($_POST['lf_url']), $conf->get('security.allowed_protocols'));
-        if (! startsWith($url, 'http:') && ! startsWith($url, 'https:')
-            && ! startsWith($url, 'ftp:') && ! startsWith($url, 'magnet:')
-            && ! startsWith($url, '?') && ! startsWith($url, 'javascript:')
-        ) {
-            $url = 'http://' . $url;
-        }
        $link = array(
            'id' => $id,
author	ArthurHoaro <arthur@hoa.ro>	2017-05-25 14:52:42 +0200
committer	ArthurHoaro <arthur@hoa.ro>	2017-05-25 14:58:34 +0200
commit	86ceea054f5f85157b04473bac5bfb6ff86ca31f (patch)
tree	e8216f2f36952818427e633b641a54a6ff26379a /index.php
parent	61c15aa5554431893ea5ebe800a9a625dca5aff9 (diff)
download	Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.gz Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.zst Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.zip