Merge pull request #880 from ArthurHoaro/hotfix/allowed-protocols

Add a whitelist of protocols for URLs
author: ArthurHoaro <arthur@hoa.ro> 2017-05-31 17:52:19 +0200
committer: GitHub <noreply@github.com> 2017-05-31 17:52:19 +0200
commit: ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e (patch)
tree: b235a4ed0e5291d7ad2f008df5bbed4d43200cbe /index.php
parent: 268309df5d8110f516940be06e9481d66f3fb5d6 (diff)
parent: 86ceea054f5f85157b04473bac5bfb6ff86ca31f (diff)
download: Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.gz
Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.zst
Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.zip
1 files changed, 1 insertions, 7 deletions
diff --git a/index.php b/index.php
index 92eb443b..823eb8de 100644
--- a/index.php
+++ b/index.php
@@ -1256,13 +1256,7 @@ function renderPage($conf, $pluginManager, $LINKSDB, $history)
        // Remove duplicates.
        $tags = implode(' ', array_unique(explode(' ', $tags)));
-        $url = trim($_POST['lf_url']);
+        $url = whitelist_protocols(trim($_POST['lf_url']), $conf->get('security.allowed_protocols'));
-        if (! startsWith($url, 'http:') && ! startsWith($url, 'https:')
-            && ! startsWith($url, 'ftp:') && ! startsWith($url, 'magnet:')
-            && ! startsWith($url, '?') && ! startsWith($url, 'javascript:')
-        ) {
-            $url = 'http://' . $url;
-        }
        $link = array(
            'id' => $id,
author	ArthurHoaro <arthur@hoa.ro>	2017-05-31 17:52:19 +0200
committer	GitHub <noreply@github.com>	2017-05-31 17:52:19 +0200
commit	ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e (patch)
tree	b235a4ed0e5291d7ad2f008df5bbed4d43200cbe /index.php
parent	268309df5d8110f516940be06e9481d66f3fb5d6 (diff)
parent	86ceea054f5f85157b04473bac5bfb6ff86ca31f (diff)
download	Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.gz Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.tar.zst Shaarli-ac94db1e36c77d52c316b5fa4e8e36b9d1e38b9e.zip