fix: Return safe url for accounts. (#1839)

Signed-off-by: Rubén D <nuxsmin@syspass.org>

app/modules/web/themes/material-blue/views/account/account.inc

@@ -1,4 +1,27 @@
 <?php
+/*
+ * sysPass
+ *
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
+ *
+ * This file is part of sysPass.
+ *
+ * sysPass is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * sysPass is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
 /**
  * @var callable       $_getvar
  * @var ThemeIcons     $icons
@@ -253,11 +276,8 @@ $showCustomFields = count($_getvar('customFields', 0)) > 0;
                                 class="mdl-textfield__input mdl-color-text--indigo-400"
                                 rows="3" id="notes"
                                 name="notes"
-                                maxlength="5000" <?php echo $_getvar('readonly'); ?>>
-                            <?php echo $gotData
-                                ? htmlspecialchars($accountData->getNotes(), ENT_QUOTES)
-                                : ''; ?>
-                        </textarea>
+                                maxlength="5000" <?php echo $_getvar('readonly'); ?>><?php echo $gotData
+                                ? htmlspecialchars($accountData->getNotes(), ENT_QUOTES) : ''; ?></textarea>
                                 <label class="mdl-textfield__label"
                                        for="notes"><?php echo __('Notes about the account'); ?></label>
                             </div>

app/modules/web/themes/material-blue/views/account/search-rows.inc

@@ -1,4 +1,27 @@
 <?php
+/*
+ * sysPass
+ *
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
+ *
+ * This file is part of sysPass.
+ *
+ * sysPass is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * sysPass is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
 /**
  * @var ThemeIcons         $icons
  * @var callable           $_getvar
@@ -102,9 +125,12 @@ $favoriteRouteOff = $_getvar('favoriteRouteOff');
                         <div class="field-url field-text label-field">
                             <div class="field-name"><?php echo __('URL / IP'); ?></div>
                             <?php if ($accountSearchItem->isUrlIslink()): ?>
-                                <a href="<?php echo urlencode($accountSearchData->getUrl()); ?>"
+                                <a href="<?php echo $accountSearchItem->getSafeUrl(); ?>"
                                    target="_blank"
-                                   title="<?php printf(__('Open link to: %s'), htmlspecialchars($accountSearchData->getUrl(), ENT_QUOTES)); ?>">
+                                   title="<?php printf(
+                                       __('Open link to: %s'),
+                                       htmlspecialchars($accountSearchData->getUrl(), ENT_QUOTES)
+                                   ); ?>">
                                     <?php echo htmlspecialchars($accountSearchItem->getShortUrl(), ENT_QUOTES); ?>
                                 </a>
                             <?php else: ?>

lib/SP/Html/Html.php

@@ -1,10 +1,10 @@
 <?php
-/**
+/*
  * sysPass
  *
- * @author    nuxsmin
- * @link      https://syspass.org
- * @copyright 2012-2019, Rubén Domínguez nuxsmin@$syspass.org
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
  *
  * This file is part of sysPass.
  *
@@ -19,7 +19,7 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- *  along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
  */
 
 namespace SP\Html;
@@ -176,4 +176,19 @@ public static function stripTags(string $text): string
         // Replace tags, then new lines, tabs and return chars, and then 2 or more spaces
         return trim(preg_replace(['/<[^>]*>/', '/[\n\t\r]+/', '/\s{2,}/'], ' ', $text));
     }
+
+    /**
+     * @param  string  $url
+     *
+     * @return string
+     */
+    public static function getSafeUrl(string $url): string
+    {
+        if (preg_match('#^((?:https?|ftp|ssh|rdp)://[\w._-]+/)(.*)#', $url, $urlParts)
+            && count($urlParts) === 3) {
+            return $urlParts[1].urlencode($urlParts[2]);
+        }
+
+        return urlencode($url);
+    }
 }

lib/SP/Services/Account/AccountSearchItem.php

@@ -1,10 +1,10 @@
 <?php
-/**
+/*
  * sysPass
  *
- * @author    nuxsmin
- * @link      https://syspass.org
- * @copyright 2012-2019, Rubén Domínguez nuxsmin@$syspass.org
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
  *
  * This file is part of sysPass.
  *
@@ -19,7 +19,7 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- *  along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
  */
 
 namespace SP\Services\Account;
@@ -202,15 +202,23 @@ public function setTextMaxLength($textMaxLength)
      */
     public function getShortUrl()
     {
-        return Html::truncate($this->accountSearchVData->getUrl(), $this->textMaxLength);
+        return Html::truncate($this->getSafeUrl(), $this->textMaxLength);
     }
 
     /**
      * @return boolean
      */
     public function isUrlIslink()
     {
-        return preg_match('#^\w+://#i', $this->accountSearchVData->getUrl());
+        return preg_match('#^\w+://#', $this->accountSearchVData->getUrl());
+    }
+
+    /**
+     * @return string
+     */
+    public function getSafeUrl()
+    {
+        return Html::getSafeUrl($this->accountSearchVData->getUrl());
     }
 
     /**

lib/SP/Services/Install/Installer.php

@@ -1,11 +1,11 @@
 <?php
 
-/**
+/*
  * sysPass
  *
- * @author    nuxsmin
- * @link      https://syspass.org
- * @copyright 2012-2019, Rubén Domínguez nuxsmin@$syspass.org
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
  *
  * This file is part of sysPass.
  *
@@ -20,7 +20,7 @@
  * GNU General Public License for more details.
  *
  * You should have received a copy of the GNU General Public License
- *  along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
  */
 
 namespace SP\Services\Install;
@@ -60,9 +60,9 @@ final class Installer extends Service
     /**
      * sysPass' version and build number
      */
-    const VERSION = [3, 2, 5];
+    const VERSION      = [3, 2, 6];
     const VERSION_TEXT = '3.2';
-    const BUILD = 22060401;
+    const BUILD        = 22061601;
 
     /**
      * @var DatabaseSetupInterface