New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

BBC scheme checks for specific schemes #5338

Open
jdarwood007 opened this Issue Jan 10, 2019 · 1 comment

Comments

Projects
None yet
3 participants
@jdarwood007
Copy link
Member

jdarwood007 commented Jan 10, 2019

Description

In SMF 2.0 and 1.1 we did stuff like this to validate specifics in bbc such as ftp

				'validate' => create_function('&$tag, &$data, $disabled', '
					$data = strtr($data, array(\'<br />\' => \'\'));
					if (strpos($data, \'ftp://\') !== 0 && strpos($data, \'ftps://\') !== 0)
						$data = \'ftp://\' . $data;
				'),

In SMF 2.1 we are doing this:

				'validate' => function(&$tag, &$data, $disabled)
				{
					$scheme = parse_url($data, PHP_URL_SCHEME);
					if (empty($scheme))
						$data = 'ftp://' . ltrim($data, ':/');
				},

While parse_url is better check, we dropped the specifics in things like the ftp bbc to ensure it is only ftp:// or ftps:// links being used. This means we could use http:// or https:// links in a ftp link. Even file:// would be valid.

I see this being relevant for img, url and iurl bbc methods as well.

Steps to reproduce

Environment (complete as necessary)

  • Version/Git revision:
  • Database Type:
  • Database Version:
  • PHP Version:

Additional information/references

The old changes where Introduced in SMF 1.1.11 with the change log note: ! Double check the sanity of URL's in parse_bbc. (Subs.php)

@Sesquipedalian Sesquipedalian added this to the RC2 milestone Jan 13, 2019

@Sesquipedalian

This comment has been minimized.

Copy link
Member

Sesquipedalian commented Jan 13, 2019

This seems to me like the correct behaviour. In the [url], [iurl], and [img] BBCodes, we shouldn't impose artificial limits on the protocol schemes of the URLs that people choose to post. If someone wants to post a link with any arbitrary scheme, it's not our place to say that they can't.

In the case of [ftp] in particular, that legacy BBCode is nothing more than an alias of [url], with the exception that it will automatically append an ftp: scheme to the front of the URL if the user forgot to provide one. So if some user were to put an HTTP url into an [ftp] BBCode, all that she'd get would be a link identical to what she would have gotten if she'd just used [url].

@Gwenwyfar Gwenwyfar added the BBC label Jan 15, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment