Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

only allow configured URL schemes in external links

This fixes a problem where JavaScript could be introduced through
specially crafted RSS feeds on a lower level than the commit from
yesterday (1ca2719)

This also fixes a problem where JavaScript links could be introduced by
specifying it as an RSS URL: the resulting error message displays a
link to the broken feed URL. This patch makes sure there's no working
link for unknown protocols.
  • Loading branch information...
commit 8dd5c1d6612a6c7f217da041703183200405fa90 1 parent 458dd6e
@splitbrain authored
Showing with 13 additions and 0 deletions.
  1. +13 −0 inc/parser/xhtml.php
View
13 inc/parser/xhtml.php
@@ -646,6 +646,19 @@ function externallink($url, $name = NULL) {
$name = $this->_getLinkTitle($name, $url, $isImage);
+ // url might be an attack vector, only allow registered protocols
+ if(is_null($this->schemes)) $this->schemes = getSchemes();
+ list($scheme) = explode('://',$url);
+ $scheme = strtolower($scheme);
+ if(!in_array($scheme,$this->schemes)) $url = '';
+
+ // is there still an URL?
+ if(!$url){
+ $this->doc .= $name;
+ return;
+ }
+
+ // set class
if ( !$isImage ) {
$class='urlextern';
} else {
Please sign in to comment.
Something went wrong with that request. Please try again.