Friendica/friendica-github
1
0
Fork 0
mirror of https://github.com/friendica/friendica synced 2025-04-19 06:30:10 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add protocol whitelist for href/src attributes

Browse source 
- Add strict URL checker for src attributes
- Add protocol whitelist for href attributes
- Add error styling if URL fails to pass filter
- Add doc for new htconfig value
- Add emphasis to config key names in htconfig doc
This commit is contained in:
Hypolite Petovan 2016-12-03 14:19:57 -05:00
parent 47a370c5e3
commit 979fc6d38a
4 changed files with 88 additions and 71 deletions
Download patch file Download diff file Expand all files Collapse all files

12
include/bbcode.php
View file

@ -1163,11 +1163,17 @@ function bbcode($Text,$preserve_nl = false, $tryoembed = true, $simplehtml = fal
// fix any escaped ampersands that may have been converted into links
$Text = preg_replace('/\<([^>]*?)(src|href)=(.*?)\&amp\;(.*?)\>/ism', '<$1$2=$3&$4>', $Text);
// removes potentially harmful javascript in src/href
$Text = preg_replace('/\<([^>]*?)(src|href)="javascript(.*?)\>/ism', '', $Text);
// sanitizes src attributes (only relative URIs or http URLs)
$Text = preg_replace('#<([^>]*?)(src)="(?!/|http)(.*?)"(.*?)>#ism', '<$1$2=""$4 class="invalid-src" title="' . t('Invalid source protocol') . '">', $Text);
if($saved_image)
// sanitize href attributes (only relative URIs or whitelisted protocols URLs)
$allowed_link_protocols = get_config('system', 'allowed_link_protocols');
$regex = '#<([^>]*?)(href)="(?!/|http|' . implode('|', $allowed_link_protocols) . ')(.*?)"(.*?)>#ism';
$Text = preg_replace($regex, '<$1$2="javascript:void(0)"$4 class="invalid-href" title="' . t('Invalid link protocol') . '">', $Text);
if($saved_image) {
$Text = bb_replace_images($Text, $saved_image);
}
// Clean up the HTML by loading and saving the HTML with the DOM.
// Bad structured html can break a whole page.