Merge branch 'master' of git://github.com/splitbrain/dokuwiki into media-revisions

author: Kate Arzamastseva <pshns@ukr.net> 2011-06-24 11:32:51 +0300
committer: Kate Arzamastseva <pshns@ukr.net> 2011-06-24 11:32:51 +0300
commit: a2dc299eb0593f35454deb21a2cb5d51a235e80a (patch)
tree: 5b14bf906bbd13495826ebbe86d3af1c8fd88f71 /inc/parser/xhtml.php
parent: 70c3cc9a17d47d8986cba0805d943c1a68af1740 (diff)
parent: c949174a2e8c324e3e463a9d10e9e6dc07b0ba9e (diff)
download: rpg-a2dc299eb0593f35454deb21a2cb5d51a235e80a.tar.gz
rpg-a2dc299eb0593f35454deb21a2cb5d51a235e80a.tar.bz2
1 files changed, 13 insertions, 0 deletions
diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php
index 1041268b1..83359cd55 100644
--- a/inc/parser/xhtml.php
+++ b/inc/parser/xhtml.php
@@ -646,6 +646,19 @@ class Doku_Renderer_xhtml extends Doku_Renderer {
 
         $name = $this->_getLinkTitle($name, $url, $isImage);
 
+        // url might be an attack vector, only allow registered protocols
+        if(is_null($this->schemes)) $this->schemes = getSchemes();
+        list($scheme) = explode('://',$url);
+        $scheme = strtolower($scheme);
+        if(!in_array($scheme,$this->schemes)) $url = '';
+
+        // is there still an URL?
+        if(!$url){
+            $this->doc .= $name;
+            return;
+        }
+
+        // set class
         if ( !$isImage ) {
             $class='urlextern';
         } else {
author	Kate Arzamastseva <pshns@ukr.net>	2011-06-24 11:32:51 +0300
committer	Kate Arzamastseva <pshns@ukr.net>	2011-06-24 11:32:51 +0300
commit	a2dc299eb0593f35454deb21a2cb5d51a235e80a (patch)
tree	5b14bf906bbd13495826ebbe86d3af1c8fd88f71 /inc/parser/xhtml.php
parent	70c3cc9a17d47d8986cba0805d943c1a68af1740 (diff)
parent	c949174a2e8c324e3e463a9d10e9e6dc07b0ba9e (diff)
download	rpg-a2dc299eb0593f35454deb21a2cb5d51a235e80a.tar.gz rpg-a2dc299eb0593f35454deb21a2cb5d51a235e80a.tar.bz2