aboutsummaryrefslogtreecommitdiffhomepage
path: root/index.php
diff options
context:
space:
mode:
authorArthurHoaro <arthur@hoa.ro>2017-05-25 14:52:42 +0200
committerArthurHoaro <arthur@hoa.ro>2017-05-25 14:58:34 +0200
commit86ceea054f5f85157b04473bac5bfb6ff86ca31f (patch)
treee8216f2f36952818427e633b641a54a6ff26379a /index.php
parent61c15aa5554431893ea5ebe800a9a625dca5aff9 (diff)
downloadShaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.gz
Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.tar.zst
Shaarli-86ceea054f5f85157b04473bac5bfb6ff86ca31f.zip
Add a whitelist of protocols for URLs
- for Shaare - for markdown description links and images Not whitelisted protocols will be replaced by `http://`
Diffstat (limited to 'index.php')
-rw-r--r--index.php8
1 files changed, 1 insertions, 7 deletions
diff --git a/index.php b/index.php
index 468dd091..944af674 100644
--- a/index.php
+++ b/index.php
@@ -1237,13 +1237,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history)
1237 // Remove duplicates. 1237 // Remove duplicates.
1238 $tags = implode(' ', array_unique(explode(' ', $tags))); 1238 $tags = implode(' ', array_unique(explode(' ', $tags)));
1239 1239
1240 $url = trim($_POST['lf_url']); 1240 $url = whitelist_protocols(trim($_POST['lf_url']), $conf->get('security.allowed_protocols'));
1241 if (! startsWith($url, 'http:') && ! startsWith($url, 'https:')
1242 && ! startsWith($url, 'ftp:') && ! startsWith($url, 'magnet:')
1243 && ! startsWith($url, '?') && ! startsWith($url, 'javascript:')
1244 ) {
1245 $url = 'http://' . $url;
1246 }
1247 1241
1248 $link = array( 1242 $link = array(
1249 'id' => $id, 1243 'id' => $id,