Increase specificity of default allowed protocols
This commit is contained in:
parent
f88435fa4c
commit
0f9520f520
2 changed files with 11 additions and 5 deletions
|
@ -1753,19 +1753,25 @@ class BBCode extends BaseObject
|
||||||
$text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&\;(.*?)\>/ism', '<$1$2=$3&$4>', $text);
|
$text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&\;(.*?)\>/ism', '<$1$2=$3&$4>', $text);
|
||||||
|
|
||||||
// sanitizes src attributes (http and redir URLs for displaying in a web page, cid used for inline images in emails)
|
// sanitizes src attributes (http and redir URLs for displaying in a web page, cid used for inline images in emails)
|
||||||
$allowed_src_protocols = ['//', 'http', 'redir', 'cid'];
|
$allowed_src_protocols = ['//', 'http://', 'https://', 'redir/', 'cid:'];
|
||||||
|
|
||||||
|
array_walk($allowed_src_protocols, function(&$value) { $value = preg_quote($value, '#');});
|
||||||
|
|
||||||
$text = preg_replace('#<([^>]*?)(src)="(?!' . implode('|', $allowed_src_protocols) . ')(.*?)"(.*?)>#ism',
|
$text = preg_replace('#<([^>]*?)(src)="(?!' . implode('|', $allowed_src_protocols) . ')(.*?)"(.*?)>#ism',
|
||||||
'<$1$2=""$4 data-original-src="$3" class="invalid-src" title="' . L10n::t('Invalid source protocol') . '">', $text);
|
'<$1$2=""$4 data-original-src="$3" class="invalid-src" title="' . L10n::t('Invalid source protocol') . '">', $text);
|
||||||
|
|
||||||
// sanitize href attributes (only whitelisted protocols URLs)
|
// sanitize href attributes (only whitelisted protocols URLs)
|
||||||
// default value for backward compatibility
|
// default value for backward compatibility
|
||||||
$allowed_link_protocols = Config::get('system', 'allowed_link_protocols', ['ftp', 'mailto', 'gopher', 'cid']);
|
$allowed_link_protocols = Config::get('system', 'allowed_link_protocols', []);
|
||||||
|
|
||||||
// Always allowed protocol even if config isn't set or not including it
|
// Always allowed protocol even if config isn't set or not including it
|
||||||
$allowed_link_protocols[] = 'http';
|
|
||||||
$allowed_link_protocols[] = '//';
|
$allowed_link_protocols[] = '//';
|
||||||
|
$allowed_link_protocols[] = 'http://';
|
||||||
|
$allowed_link_protocols[] = 'https://';
|
||||||
$allowed_link_protocols[] = 'redir/';
|
$allowed_link_protocols[] = 'redir/';
|
||||||
|
|
||||||
|
array_walk($allowed_link_protocols, function(&$value) { $value = preg_quote($value, '#');});
|
||||||
|
|
||||||
$regex = '#<([^>]*?)(href)="(?!' . implode('|', $allowed_link_protocols) . ')(.*?)"(.*?)>#ism';
|
$regex = '#<([^>]*?)(href)="(?!' . implode('|', $allowed_link_protocols) . ')(.*?)"(.*?)>#ism';
|
||||||
$text = preg_replace($regex, '<$1$2="javascript:void(0)"$4 data-original-href="$3" class="invalid-href" title="' . L10n::t('Invalid link protocol') . '">', $text);
|
$text = preg_replace($regex, '<$1$2="javascript:void(0)"$4 data-original-href="$3" class="invalid-href" title="' . L10n::t('Invalid link protocol') . '">', $text);
|
||||||
|
|
||||||
|
|
|
@ -52,8 +52,8 @@ return [
|
||||||
],
|
],
|
||||||
'system' => [
|
'system' => [
|
||||||
// allowed_link_protocols (Array)
|
// allowed_link_protocols (Array)
|
||||||
// Allowed protocols in links URLs, add at your own risk. http is always allowed.
|
// Allowed protocols in links URLs, add at your own risk. http(s) is always allowed.
|
||||||
'allowed_link_protocols' => ['ftp', 'ftps', 'mailto', 'cid', 'gopher'],
|
'allowed_link_protocols' => ['ftp://', 'ftps://', 'mailto:', 'cid:', 'gopher://'],
|
||||||
|
|
||||||
// always_show_preview (Boolean)
|
// always_show_preview (Boolean)
|
||||||
// Only show small preview pictures.
|
// Only show small preview pictures.
|
||||||
|
|
Loading…
Reference in a new issue