Skip to content

Commit 615212a

Browse files
committed
Do not allow javascript: links in transformation
Signed-off-by: Michal Čihař <michal@cihar.com>
1 parent 519e634 commit 615212a

File tree

2 files changed

+15
-7
lines changed

2 files changed

+15
-7
lines changed

Diff for: libraries/plugins/transformations/abs/TextImageLinkTransformationsPlugin.php

+8-3
Original file line numberDiff line numberDiff line change
@@ -46,9 +46,14 @@ public static function getInfo()
4646
*/
4747
public function applyTransformation($buffer, $options = array(), $meta = '')
4848
{
49-
return '<a href="' . htmlspecialchars(isset($options[0]) ? $options[0] : '')
50-
. htmlspecialchars($buffer) . '" target="_blank"><img src="'
51-
. htmlspecialchars(isset($options[0]) ? $options[0] : '') . htmlspecialchars($buffer)
49+
$url = (isset($options[0]) ? $options[0] : '') . $buffer;
50+
$parsed = parse_url($url);
51+
/* Do not allow javascript links */
52+
if (isset($parsed['scheme']) && $parsed['scheme'] == 'javascript') {
53+
return htmlspecialchars($url);
54+
}
55+
return '<a href="' . htmlspecialchars($url)
56+
. '" target="_blank"><img src="' . htmlspecialchars($url)
5257
. '" border="0" width="' . (isset($options[1]) ? $options[1] : 100)
5358
. '" height="' . (isset($options[2]) ? $options[2] : 50) . '" />'
5459
. htmlspecialchars($buffer) . '</a>';

Diff for: libraries/plugins/transformations/abs/TextLinkTransformationsPlugin.php

+7-4
Original file line numberDiff line numberDiff line change
@@ -46,11 +46,14 @@ public static function getInfo()
4646
*/
4747
public function applyTransformation($buffer, $options = array(), $meta = '')
4848
{
49-
$append_part = (isset($options[2]) && $options[2]) ? '' : $buffer;
50-
49+
$url = (isset($options[0]) ? $options[0] : '') . ((isset($options[2]) && $options[2]) ? '' : $buffer);
50+
$parsed = parse_url($url);
51+
/* Do not allow javascript links */
52+
if (isset($parsed['scheme']) && $parsed['scheme'] == 'javascript') {
53+
return htmlspecialchars($url);
54+
}
5155
return '<a href="'
52-
. htmlspecialchars(isset($options[0]) ? $options[0] : '')
53-
. htmlspecialchars($append_part)
56+
. htmlspecialchars($url)
5457
. '" title="'
5558
. htmlspecialchars(isset($options[1]) ? $options[1] : '')
5659
. '" target="_new">'

0 commit comments

Comments
 (0)