From 5eba8aa0df1befd34eb15a57dacfdc66cffd14ac Mon Sep 17 00:00:00 2001
From: Christian Schneider
Date: Sun, 6 Feb 2022 20:12:00 +0100
Subject: Filter out javascript: scheme in U() to avoid more XSS attacks

---
 it_html.class | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'it_html.class')

diff --git a/it_html.class b/it_html.class
index d65b101..5175f2d 100644
--- a/it_html.class
+++ b/it_html.class
@@ -516,6 +516,12 @@ static function U(...$args)
 		($u['host'] ? $u['host'] : "") .
 		($u['port'] ? ":" . intval($u['port']) : "");
 
+	if (it::match('javascript', $u['scheme']))
+	{
+		it::error(['title' => "Invalid URL scheme javascript", 'body' => ['args' => $args, 'u' => $u]]);	# FIXME CS 2022-03-01 Remove warning on javascript urls
+		$u['scheme'] = '';
+	}
+
 	$schemepart = $hostpart ? ($u['scheme'] ? $u['scheme'] . ":" : "") . "//$hostpart" : ($u['scheme'] == "mailto" ? $u['scheme'] . ":" : "");
 
 	# remove strings that will be interpreted as scheme from path
-- 
cgit v1.2.3