diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2011-06-14 19:50:29 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2011-06-14 20:44:58 +0200 |
| commit | b52b15965611fc865058c0331b55e4e9bccabd2e (patch) | |
| tree | 6227bcc2789616f316b1de650997f6e217e2a593 /inc/parser | |
| parent | 5f27cb0eab98fa6b4856278436d6aacadc4a1acb (diff) | |
| download | rpg-b52b15965611fc865058c0331b55e4e9bccabd2e.tar.gz rpg-b52b15965611fc865058c0331b55e4e9bccabd2e.tar.bz2 | |
only allow configured URL schemes in external links
This fixes a problem where JavaScript could be introduced through
specially crafted RSS feeds on a lower level than the commit from
yesterday (1ca2719c7488662ebd7964c0d026e0890f923ee9)
This also fixes a problem where JavaScript links could be introduced by
specifying it as an RSS URL: the resulting error message displays a
link to the broken feed URL. This patch makes sure there's no working
link for unknown protocols.
Diffstat (limited to 'inc/parser')
| -rw-r--r-- | inc/parser/xhtml.php | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php index 1af3a1ce1..22dc58963 100644 --- a/inc/parser/xhtml.php +++ b/inc/parser/xhtml.php @@ -648,6 +648,19 @@ class Doku_Renderer_xhtml extends Doku_Renderer { $name = $this->_getLinkTitle($name, $url, $isImage); + // url might be an attack vector, only allow registered protocols + if(is_null($this->schemes)) $this->schemes = getSchemes(); + list($scheme) = explode('://',$url); + $scheme = strtolower($scheme); + if(!in_array($scheme,$this->schemes)) $url = ''; + + // is there still an URL? + if(!$url){ + $this->doc .= $name; + return; + } + + // set class if ( !$isImage ) { $class='urlextern'; } else { |