Clean the profile URL when follow

mod/follow.php

@@ -41,7 +41,7 @@ function follow_post(App $a)
 	}
 
 	$uid = local_user();
-	$url = Strings::escapeTags(trim($_REQUEST['url']));
+	$url = Probe::cleanURI($_REQUEST['url']);
 	$return_path = 'follow?url=' . urlencode($url);
 
 	// Makes the connection request for friendica contacts easier

src/Module/RemoteFollow.php

@@ -54,7 +54,7 @@ class RemoteFollow extends BaseModule
 			return;
 		}
 		
-		$url = trim($_POST['dfrn_url']);
+		$url = Probe::cleanURI($_POST['dfrn_url']);
 		if (!strlen($url)) {
 			notice(DI::l10n()->t("Invalid locator"));
 			return;

src/Network/Probe.php

@@ -47,6 +47,31 @@ class Probe
 	private static $baseurl;
 	private static $istimeout;
 
+	/**
+	 * Remove stuff from an URI that doesn't belong there
+	 *
+	 * @param string $URI
+	 * @return string Cleaned URI
+	 */
+	public static function cleanURI(string $URI)
+	{
+		// At first remove leading and trailing junk
+		$URI = trim($URI, "@#?:/ \t\n\r\0\x0B");
+
+		$parts = parse_url($URI);
+
+		if (empty($parts['scheme'])) {
+			return $URI;
+		}
+
+		// Remove the URL fragment, since these shouldn't be part of any profile URL
+		unset($parts['fragment']);
+
+		$URI = Network::unparseURL($parts);
+
+		return $URI;
+	}
+
 	/**
 	 * Rearrange the array so that it always has the same order
 	 *