Extend PMA_checkLink to cover more use cases

- allow to support mailto, ftp or http links on request - do not use multibyte functions as we're interested in first chars anyway and we're comparing against ascii ones Issue #12479 Signed-off-by: Michal Čihař <michal@cihar.com>
phpmyadmin · Aug 24, 2016 · 265efb0 · 265efb0
1 parent 4a9b84f
commit 265efb0
Showing 1 changed file with 14 additions and 4 deletions.
diff --git a/libraries/sanitizing.lib.php b/libraries/sanitizing.lib.php
@@ -9,23 +9,33 @@
 /**
  * Checks whether given link is valid
  *
- * @param string $url URL to check
+ * @param string  $url   URL to check
+ * @param boolean $http  Whether to allow http links
+ * @param boolean $other Whether to allow ftp and mailto links
  *
  * @return boolean True if string can be used as link
  */
-function PMA_checkLink($url)
+function PMA_checkLink($url, $http=false, $other=false)
 {
+    $url = strtolower($url);
     $valid_starts = array(
         'https://',
-        './url.php?url=https%3A%2F%2F',
+        './url.php?url=https%3a%2f%2f',
         './doc/html/',
     );
+    if ($other) {
+        $valid_starts[] = 'mailto:';
+        $valid_starts[] = 'ftp://';
+    }
+    if ($http) {
+        $valid_starts[] = 'http://';
+    }
     if (defined('PMA_SETUP')) {
         $valid_starts[] = '?page=form&';
         $valid_starts[] = '?page=servers&';
     }
     foreach ($valid_starts as $val) {
-        if (mb_substr($url, 0, mb_strlen($val)) == $val) {
+        if (substr($url, 0, strlen($val)) == $val) {
             return true;
         }
     }