Merge pull request #1853

* fix: Encode special characters using regex.

* chore: Bump version number.

lib/SP/Html/Html.php

@@ -184,19 +184,19 @@ public static function stripTags(string $text): string
      */
     public static function getSafeUrl(string $url): string
     {
-        $match = preg_match('#^(([a-z]+)://[\w._-]+)(?:/(.*))?#i', $url, $urlParts);
+        $urlParts = parse_url($url);
 
-        if ($match !== 1) {
-            return htmlspecialchars($url, ENT_QUOTES);
+        if ($urlParts === false) {
+            return 'malformed_url';
         }
 
-        switch (count($urlParts)) {
-            case 3:
-                return htmlspecialchars($urlParts[1], ENT_QUOTES).'/'.urlencode($urlParts[2]);
-            case 2:
-                return htmlspecialchars($urlParts[1], ENT_QUOTES);
-            default:
-                return htmlspecialchars($url, ENT_QUOTES);
-        }
+        return preg_replace_callback(
+            '/[^:\/@?&=#%\w]+/u',
+            function ($matches)
+            {
+                return urlencode($matches[0]);
+            },
+            $url
+        );
     }
 }

lib/SP/Services/Install/Installer.php

@@ -60,9 +60,9 @@ final class Installer extends Service
     /**
      * sysPass' version and build number
      */
-    const VERSION      = [3, 2, 9];
+    const VERSION      = [3, 2, 10];
     const VERSION_TEXT = '3.2';
-    const BUILD        = 22062501;
+    const BUILD        = 22070101;
 
     /**
      * @var DatabaseSetupInterface

tests/SP/Html/HtmlTest.php

@@ -0,0 +1,72 @@
+<?php
+/*
+ * sysPass
+ *
+ * @author nuxsmin
+ * @link https://syspass.org
+ * @copyright 2012-2022, Rubén Domínguez nuxsmin@$syspass.org
+ *
+ * This file is part of sysPass.
+ *
+ * sysPass is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * sysPass is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with sysPass.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace SP\Tests\Html;
+
+use Faker\Factory;
+use PHPUnit\Framework\TestCase;
+use SP\Html\Html;
+
+/**
+ * Class HtmlTest
+ */
+class HtmlTest extends TestCase
+{
+    private static $faker;
+
+    public static function setUpBeforeClass(): void
+    {
+        parent::setUpBeforeClass();
+
+        self::$faker = Factory::create();
+    }
+
+
+    public function testGetSafeUrlOk()
+    {
+        $url = self::$faker->url;
+
+        $this->assertEquals($url, Html::getSafeUrl($url));
+    }
+
+    /**
+     * @dataProvider urlProvider
+     * @return void
+     */
+    public function testGetSafeUrlEncoded(string $url)
+    {
+        $this->assertEquals(0, preg_match('/["<>]+/', Html::getSafeUrl($url)));
+    }
+
+    private function urlProvider(): array
+    {
+        return [
+            ['https://foo.com/<script>alert("TEST");</script>'],
+            ['https://foo.com/><script>alert("TEST");</script>'],
+            ['https://foo.com/"><script>alert("TEST");</script>'],
+            ['https://foo.com/"%20onClick="alert(\'TEST\'")'],
+            ['https://foo.com/" onClick="alert(\'TEST\')"'],
+        ];
+    }
+}