From 061f43788c9989509b4ec827172621664369c89f Mon Sep 17 00:00:00 2001 From: Michael Date: Mon, 12 Feb 2024 05:21:13 +0000 Subject: [PATCH] Sanitize links before storing them --- src/Content/Text/BBCode.php | 32 +++++--------------------------- src/Model/Post/Link.php | 3 ++- src/Model/Post/Media.php | 1 + src/Util/Network.php | 23 +++++++++++++++++++++++ 4 files changed, 31 insertions(+), 28 deletions(-) diff --git a/src/Content/Text/BBCode.php b/src/Content/Text/BBCode.php index 80c3bb2299..67a3aae863 100644 --- a/src/Content/Text/BBCode.php +++ b/src/Content/Text/BBCode.php @@ -41,6 +41,7 @@ use Friendica\Model\Tag; use Friendica\Network\HTTPClient\Client\HttpClientAccept; use Friendica\Network\HTTPClient\Client\HttpClientOptions; use Friendica\Util\Map; +use Friendica\Util\Network; use Friendica\Util\ParseUrl; use Friendica\Util\Proxy; use Friendica\Util\Strings; @@ -434,7 +435,7 @@ class BBCode return $text; } - $data['url'] = self::sanitizeLink($data['url']); + $data['url'] = Network::sanitizeUrl($data['url']); if (isset($data['title'])) { $data['title'] = strip_tags($data['title']); @@ -487,7 +488,7 @@ class BBCode } if (!empty($data['provider_url']) && !empty($data['provider_name'])) { - $data['provider_url'] = self::sanitizeLink($data['provider_url']); + $data['provider_url'] = Network::sanitizeUrl($data['provider_url']); if (!empty($data['author_name'])) { $return .= sprintf('%s (%s)', $data['provider_url'], $data['author_name'], $data['provider_name']); } else { @@ -1067,29 +1068,6 @@ class BBCode return $text; } - /** - * Remove invalid parts from an URL - * - * @param string $url - * @return string sanitized URL - */ - private static function sanitizeLink(string $url): string - { - $sanitzed = $url = trim($url); - - foreach (['"', ' '] as $character) { - $pos = strpos($sanitzed, $character); - if ($pos !== false) { - $sanitzed = trim(substr($sanitzed, 0, $pos)); - } - } - - if ($sanitzed != $url) { - Logger::debug('Link got sanitized', ['url' => $url, 'sanitzed' => $sanitzed]); - } - return $sanitzed; - } - /** * Callback: Sanitize links from given $match array * @@ -1099,9 +1077,9 @@ class BBCode private static function sanitizeLinksCallback(array $match): string { if (count($match) == 3) { - return '[' . $match[1] . ']' . self::sanitizeLink($match[2]) . '[/' . $match[1] . ']'; + return '[' . $match[1] . ']' . Network::sanitizeUrl($match[2]) . '[/' . $match[1] . ']'; } else { - return '[' . $match[1] . '=' . self::sanitizeLink($match[2]) . ']' . $match[3] . '[/' . $match[1] . ']'; + return '[' . $match[1] . '=' . Network::sanitizeUrl($match[2]) . ']' . $match[3] . '[/' . $match[1] . ']'; } } diff --git a/src/Model/Post/Link.php b/src/Model/Post/Link.php index 4146efe761..be2f7fd2da 100644 --- a/src/Model/Post/Link.php +++ b/src/Model/Post/Link.php @@ -31,6 +31,7 @@ use Friendica\Util\HTTPSignature; use Friendica\Util\Images; use Friendica\Util\Proxy; use Friendica\Object\Image; +use Friendica\Util\Network; /** * Class Link @@ -77,7 +78,7 @@ class Link } else { $fields = self::fetchMimeType($url); $fields['uri-id'] = $uriId; - $fields['url'] = $url; + $fields['url'] = Network::sanitizeUrl($url); DBA::insert('post-link', $fields, Database::INSERT_IGNORE); $id = DBA::lastInsertId(); diff --git a/src/Model/Post/Media.php b/src/Model/Post/Media.php index afd6ca8383..cbbfdb97ec 100644 --- a/src/Model/Post/Media.php +++ b/src/Model/Post/Media.php @@ -96,6 +96,7 @@ class Media return false; } + $media['url'] = Network::sanitizeUrl($media['url']); $media = self::unsetEmptyFields($media); $media = DI::dbaDefinition()->truncateFieldsForTable('post-media', $media); diff --git a/src/Util/Network.php b/src/Util/Network.php index 415a20c763..02124a4e71 100644 --- a/src/Util/Network.php +++ b/src/Util/Network.php @@ -659,6 +659,29 @@ class Network return !empty($scheme) && in_array($scheme, ['http', 'https']) && parse_url($url, PHP_URL_HOST); } + /** + * Remove invalid parts from an URL + * + * @param string $url + * @return string sanitized URL + */ + public static function sanitizeUrl(string $url): string + { + $sanitized = $url = trim($url); + + foreach (['"', ' '] as $character) { + $pos = strpos($sanitized, $character); + if ($pos !== false) { + $sanitized = trim(substr($sanitized, 0, $pos)); + } + } + + if ($sanitized != $url) { + Logger::debug('Link got sanitized', ['url' => $url, 'sanitzed' => $sanitized]); + } + return $sanitized; + } + /** * Creates an Uri object out of a given Uri string *