diff options
Diffstat (limited to 'inc/parser/xhtml.php')
| -rw-r--r-- | inc/parser/xhtml.php | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/inc/parser/xhtml.php b/inc/parser/xhtml.php index 1af3a1ce1..22dc58963 100644 --- a/inc/parser/xhtml.php +++ b/inc/parser/xhtml.php @@ -648,6 +648,19 @@ class Doku_Renderer_xhtml extends Doku_Renderer { $name = $this->_getLinkTitle($name, $url, $isImage); + // url might be an attack vector, only allow registered protocols + if(is_null($this->schemes)) $this->schemes = getSchemes(); + list($scheme) = explode('://',$url); + $scheme = strtolower($scheme); + if(!in_array($scheme,$this->schemes)) $url = ''; + + // is there still an URL? + if(!$url){ + $this->doc .= $name; + return; + } + + // set class if ( !$isImage ) { $class='urlextern'; } else { |