diff options
| author | Christian Schneider | 2022-02-06 20:12:00 +0100 |
|---|---|---|
| committer | Christian Schneider | 2022-02-06 20:13:18 +0100 |
| commit | 5eba8aa0df1befd34eb15a57dacfdc66cffd14ac (patch) | |
| tree | 2e14bc4a995bf12738649adc9dd8550a01094ffa /it_html.class | |
| parent | e867407ae8b86b3170f0f103607d54a0fb7c616e (diff) | |
| download | itools-5eba8aa0df1befd34eb15a57dacfdc66cffd14ac.tar.gz itools-5eba8aa0df1befd34eb15a57dacfdc66cffd14ac.tar.bz2 itools-5eba8aa0df1befd34eb15a57dacfdc66cffd14ac.zip | |
Filter out javascript: scheme in U() to avoid more XSS attacks
Diffstat (limited to 'it_html.class')
| -rw-r--r-- | it_html.class | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/it_html.class b/it_html.class index d65b101..5175f2d 100644 --- a/it_html.class +++ b/it_html.class @@ -516,6 +516,12 @@ static function U(...$args) ($u['host'] ? $u['host'] : "") . ($u['port'] ? ":" . intval($u['port']) : ""); + if (it::match('javascript', $u['scheme'])) + { + it::error(['title' => "Invalid URL scheme javascript", 'body' => ['args' => $args, 'u' => $u]]); # FIXME CS 2022-03-01 Remove warning on javascript urls + $u['scheme'] = ''; + } + $schemepart = $hostpart ? ($u['scheme'] ? $u['scheme'] . ":" : "") . "//$hostpart" : ($u['scheme'] == "mailto" ? $u['scheme'] . ":" : ""); # remove strings that will be interpreted as scheme from path |