diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2011-06-14 19:50:29 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2011-06-14 21:29:35 +0200 |
| commit | 8dd5c1d6612a6c7f217da041703183200405fa90 (patch) | |
| tree | 9134379e351d5137c7ff4fac256e5ed1a86f25e9 | |
| parent | 458dd6e829124891f9998c30b061131c67b86ac4 (diff) | |
| download | rpg-8dd5c1d6612a6c7f217da041703183200405fa90.tar.gz rpg-8dd5c1d6612a6c7f217da041703183200405fa90.tar.bz2 | |
only allow configured URL schemes in external links
This fixes a problem where JavaScript could be introduced through
specially crafted RSS feeds on a lower level than the commit from
yesterday (1ca2719c7488662ebd7964c0d026e0890f923ee9)
This also fixes a problem where JavaScript links could be introduced by
specifying it as an RSS URL: the resulting error message displays a
link to the broken feed URL. This patch makes sure there's no working
link for unknown protocols.
| -rw-r--r-- | inc/parser/xhtml.php | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php index 1041268b1..83359cd55 100644 --- a/inc/parser/xhtml.php +++ b/inc/parser/xhtml.php @@ -646,6 +646,19 @@ class Doku_Renderer_xhtml extends Doku_Renderer { $name = $this->_getLinkTitle($name, $url, $isImage); + // url might be an attack vector, only allow registered protocols + if(is_null($this->schemes)) $this->schemes = getSchemes(); + list($scheme) = explode('://',$url); + $scheme = strtolower($scheme); + if(!in_array($scheme,$this->schemes)) $url = ''; + + // is there still an URL? + if(!$url){ + $this->doc .= $name; + return; + } + + // set class if ( !$isImage ) { $class='urlextern'; } else { |